Hacking is a phenomenon known all around the world, hackers are people who use data manipulation in order to remotely control networks to steal data. Hacking has advanced vastly over time leaving user’s personal information defenceless. EH (Ethical Hacking) also known as penetration testing, is a tool used by users around the globe in order to tackle cyber criminals. SME’s and Banks need to upgrade defences and take the correct steps in order to protect their businesses from such a threat. Hacking is spread into three types, Black Hats, Grey Hats and White Hats. EH is also used by Governments all over the world, as cyber wars have led to increased security breaches and loss of public data. Government may apply strict procedures in order to counter terrorism and prevent crime. The term ‘Ethical’ is something which is morally good or correct however today humanity fails to understand whether EH actually benefits society or not.
Ethical Hacking, Penetration Testing, Educational, Professional, Governmental
The purpose of this report is to highlight the advantages and disadvantages of EH within three separate sectors: educational, professional and governmental. Constructive analysis and criticism of applying EH within all three fields will be made in order to understand its benefits and drawbacks.
Understanding the reason why an individual may want to infiltrate or hack into a system is usually the most difficult task, the intention behind cyber-attacks usually allows room for prevention as the user may be able to defend against any possible system vulnerability. EH is used as a penetration testing tool in order to prevent breach of basic rights, privacy and free will. According to author Graves “Ethical hackers are usually professionals or network penetration testers who use their hacking skills and toolsets for defensive and protective purposes” (Graves, 2007).
Then again there are three sorts of programmers: Black Hat, Grey Hat and White Hat as indicated by (Hoffman 2013). White Hats are usually software engineers that hack for good, and hack with respect to corporate/business networking structures. A Grey Hat hacker may do things imperfect in nature, however not to intentionally hurt people or damage systems, unless there is a genuine positive result. A Black Hat Hacker will maliciously misuse computers and networks with pernicious aim, with no legitimate reason (Jackson, 2016). However Logan (2005) described hacking as accessing a system that one is either not authorized to access, or who accesses a system at a level beyond their authorization, clearly abandoning the possibility of ethics being applied to it. (Logan et al. 2005).
The rise in cybercrime is a major breaching issue for organisations and it has been reported that over 30,000 SME websites are hacked daily (Berger et al. 2016). The need for advanced cyber security is a necessity to fight of Black Hat Hackers, and organisations all over the world need to start implementing such procedures to protect their businesses, but the costs related to EH make it impossible for smaller companies to cope. (Berger et al. 2016).
EH is gone beyond just professionals as universities all around the world have been offering courses to graduate and undergraduate students to increase their understanding on how to protect data and apply security procedures in an ethical way. Making it easier for organisations to employ talent rather than pay for services from external organisations, however teaching young students the profession of hacking without knowledge of their intent could be suicidal.
EH can be applied to many circumstances however this paper will discuss the advantages and disadvantages of EH within three separate sectors, education, business and governmental to allow the reader to truly understand and grasp the importance of the subject at hand.
When exploring EH the question arises, ‘can hacking ever be ethical? “Ethical hackers employ the same tools and techniques as the intruders, but they neither damage the target systems nor steal information. Instead, they evaluate the target systems’ security and report back to owners with the vulnerabilities they found and instructions for how to remedy them” (Curbelo et al. 2016). In addition, EH is applying penetration testing, or deliberately accessing networks through ‘unlawful means’ specifically to decide the depth of a system's security, these tests are usually carried out by larger corporations (Hartley, 2006).
Organizations and large corporations today are under huge pressure to shield their data from external and inner security dangers towards their computer frameworks. Accordingly the majority of them have taken precautionary arrangements of employing Ethical Hackers. "To catch a thief, you must think like a thief. That’s the basis for ethical hacking. Knowing your enemy is absolutely critical" (Beaver, 2014). In other words Ethical Hackers are experienced security and system specialists that play out an assault on an objective framework with authorization from the company, in order to discover escape routes and vulnerabilities that malicious hackers could exploit, this procedure is additionally known as Penetration Testing. The true objective of ethical hackers is to learn framework vulnerabilities with the intention to repair the damage and help organisations fight of cyber criminals (Smith, et al. 2002). Every Ethical Hacker has to follow three critical guidelines: Firstly ‘working ethically’. All activities performed by the hacker has to benefit the association’s objectives and so ‘Reliability is an absolute fundamental’. Secondly ‘respecting privacy’ as all data that is collected must be treated with the most extreme regard, and finally making sure ‘systems remain intact’ this usually takes place due to the hacker taking the system lightly (Beaver, 2014).
The procedure of EH contains a wide range of steps. The primary thing that is done is to detail out a step by step plan. At this stage getting approval and an agreement from the association to carry out the infiltration test is critical (Beaver, 2014). Next the ethical hacker utilizes filtering systems to check for open ports on the framework. "Once a malicious hacker scans all computers and realises which operating system they use than almost all kinds of attacks are possible" (Smith et al. 2002). This strategy is utilized by Black Hats with malicious intent or purpose. After careful examination the ethical hacker will choose the instruments that he will use for specific tests on the network. These tools can be used for password cracking and planting entry points for future attacks. The tests should be precisely performed, on the off chance that they are done inaccurately they could harm the framework (Smith et al. 2002). Finally the arrangement should be executed and the after effects of the considerable number of tests should then be assessed (Beaver, 2014). Based on the outcomes the ethical hacker informs the company concerning their security vulnerabilities and also how they can be fixed to make it more secure.
Advantages and Disadvantages.
The paper will now discuss the advantages and disadvantages of applying EH in three separate categories. Teaching EH and its implications, use of EH within a business field and how the government utilise ethical hacking.
Benefits and Drawbacks of Teaching Ethical Hacking.
The idea of showing people how to hack in graduate and undergraduate courses has received much consideration as of late. At university level, the thought behind hacking as a method for preparing is a technique for showing understudies how to ensure the protection of resources for future working environments. An argument exists in regards to whether educating an individual how to hack with the goal that he may, thus, use the ability in a positive way to protect network security exceeds the potential danger of teaching understudies to use the same skills to hack with illicit intent. (Hartley, 2015).
However according to Xu et al. (2013) the pursuit to hacking usually begins with innocent intentions, for e.g. curiosity or just wanting to have more knowledge. However though these hackers have no ill intent and are hardly disciplined, a moral value is formed that as long as they bring no harm to others and benefit themselves it is not wrong (Xu et al. 2013).
The method for educating EH may well decrease the quantity of 'Black Hat' Hackers as the individuals who learns illicit hacking strategy in all likelihood may utilise similar instruments to benefit and protect future organisations, as they have been nurtured morally and ethically. Poteat states "the objective of the teacher is to ingrain the knowledge that they have about any given subject into their understudies with the goal that they understand the material as well as know how to apply it" this unmistakably demonstrates the likelihood an understudy would utilise his abilities morally rather than maliciously indicating the advantage of teaching individuals how to hack at university level (Poteat 2004).
System technology keeps on developing and adjusting over time and consistently advances to a more elevated level. The need for technology has almost turned into necessity, for example, eating, shopping, dressing and communicating with family and friends. As systems keep on improving so do operating frameworks, and with malicious black hats lurking searching for a network leak, it is vital to show people how to protect organisations and society from such a threat, in order to keep safe private and confidential information. According to research conducted by Poteat there are general concerns in regards to EH being taught and individuals are paying substantial amounts for weekly training camps within the region of $4500. An interview was conducted with two security professionals at the time who quoted: "giving these skills to the masses is somewhat irresponsible, as there is no way to guarantee they will not be used to cause harm", and "I think that frankly, people who think that by calling it an EH course [believe they] are only providing these skills to ethical people are delusional" (Poteat 2004). Clearly indicating the impossibility of knowing whether an individual has malicious intent or not. However not teaching hacking with ethical principles comes with a consequence, those who are willing to learn may find other means of educating themselves which could exist without strict guidelines of what is moral and immoral.
It is also important to understand that every student studying the field of EH would need to be handled with care, they would need to be accepted as students and recognised for their academic achievements throughout the duration of the course this will have a huge effect on whether they continue to apply their skills for an ethical purpose or use it to carry out malicious activity in order to get recognised within the hacking world. Hackers could join specific online communities in order to gain recognition for their skills and talent (Pike et al. 2013).
This highlights the importance for each and every college or university to take preliminary precautions in order to weed out potential threats to society in the near future, however doing so would be extremely difficult. Other safety measures would need to be put in place in order to maintain the correct level of teaching standards all around the world, if educational institutions are not teaching students with care and discipline it could lead to nurturing the wrong talent and much malicious activity could follow but keeping records and managing such a task is near impossible.
SME’s and applying Ethical Hacking.
Having the adequate preventative measures in place to prevent security breaches within an organisation is very important in society today. As technology has grown vastly over time and computer networks becoming a necessity to speed up business processes, it has become paramount for SME’s to take security procedures to prevent breaches. Most businesses today secure confidential client data and information which in compliance with data protection can only be seen, touched or changed by the client himself and the business they are in contract with. However businesses are vulnerable to malicious cyber-attacks and security breaches due to the lack of security measures in place by the organisation itself, leading to a leak of confidential information (Devine, 2016).
Regardless of the level of security breach there is a dispute on whether EH is suitable or will benefit all organisations. Knowing hacking can be a very powerful tool in order to protect organisations and society and it could protect companies from malicious attacks due to weaknesses within their security. However due to a lack of resources or no particular concern it is very unlikely for a company to take protective measures against such attacks. A recent survey from Unisys and Ponemon institution found that nearly 70% of firms responsible for power, water and other crucial infrastructure have suffered at least one security breach which had led to a loss of confidential information. 64% expected another serious attack to take place at the end of the reported year however only 24% of the companies ranked information security as a serious threat and strategic priority (Devine, 2016).
The protection of company infrastructure could come down to the pressure put on organisations by Grey Hat hackers who look for security breaches within a business infrastructure for the better good of society as they believe the importance of society is far more greater than the importance of consumers. It is evident from vast amount of cases that huge corporations such as Microsoft, Paypal and Apple have delayed strict security breaches with each vulnerability only taking a matter of minutes to repair (Kirsch, 2014). If a company is to separate finances for the purpose of protecting client information they would indeed benefit the public however the costs of doing so would inevitably wound the pocket of the company.
The costs for employing programmers has increased over time with the development of technology and major companies which would affect the economy of a country are being targeted, therefore it is vital for such infrastructures to have security precautions in place. However SME’s are organisations which are a lot smaller and applying strict security precautions would costs a great deal of money, making it financially difficult to exist. The fact that EH costs a lot of money and hackers who have studied the profession charge preposterous amounts contradicts the “ethics” behind ethical hacking. How can organisations hire ethical hackers to protect and apply security measures for their infrastructure if they cannot afford to do so? The profession almost seems like a scheme to hold organisations ransom as there is a need for a hacker’s expertise.
Therefore it is vital for smaller organisations to look for alternative roots to protect their data from potential hacks in the near future, there are several free open source web tools which could be used for penetration testing. It is important for all information to be stored on external infrastructures which are not connected directly to a network making it near impossible for hackers to steal information unless the hacker is working within (Smith, 2004).
This is an easy and cheaper alternative for SME’s to protect confidential information and safeguard their data. If however an SME does decide to seek help from an external organisation to protect their data, then as an organisation they would need to understand they are allowing an ‘ethical hacker’ to look through unauthorised information and putting trust in someone who has no emotional attachment to the organisation, therefore the possibility the hackers intent could change exists.
It is clearly evident that as technology continues to grow the number of SME’s with a network connection in order to trade online also grows, which mean the threat of hackers breaching a system increases. According to Leyden (2003) small firms are attacked with viruses, denial of service and worm attempts at an average rate of 500 attempts every month.
SME’s accounted for 99.1% of the UK’s population. The average cost of a company’s most serious breach is in the region of £1000 and for larger organisations 120,000 it was also reported in a survey from IBM in 2005 that over 237 million security attacks were carried out against companies over the course of 6 months (Schifreen, 2007). Since the majority of the UK’s economy is SME populated it is vital to apply a strong IT security infrastructure in order to reduce financial losses and security breaches.
Ethical Hacking at a Government Level.
In order for the government to protect valuable information to protect the country from possible terrorist attacks or breach of national security EH is considered with the utmost importance. Fighting against terrorism is the highlight of every nation and is considered as of the highest priority, therefore the use of EH in order to counteract major attacks on their security systems is an obvious fundamental (Passi et al. 2015). However this is not the only requirement, EH could be used as a tool in order to reduce crime rate, and to protect individual data and confidentiality. Numerous cases have been addressed with Metropolitan Police successfully tracking down hackers stealing confidential information (McGuire et al. 2013).
EH on a Government level will require the programmer to handle information with strict secrecy and delicacy, information on the countries weaponry and defence systems could aid enemy nations, which is clearly a matter of national security and could lead to potential terrorist attacks. However such information cannot be handed over to penetration testers solely on trust alone, information of such requires a nations trust to be placed in the hands of programmers, the possibility of an ethical hacker using their knowledge to carry out malicious activities or to blackmail government officials always remains a possibility. If ethical hackers learn about the vulnerabilities within a government infrastructure they could easily destroy the entire system with illicit coding or malware. However the likelihood of such a scenario taking place remains slim as correct precautions would take place before penetration testing begins.
Acts carried out by Government officials may not be deemed ethical even though they justify it as a method to counter terrorism. EH has been used to spy on American citizens, breaching privacy and confidentiality. Glenn Greenwald a US American journalist known for his patriotism covered an amazing story which leaked confidential government data, including documents on how America spied on its millions of citizens in the name of countering terrorism (Greenwald, 2014). The use of EH was inappropriate even though the outcome was for the better good, millions of citizens were spied on and information on their private affairs were in the hands of government officials. Edward Snowdon, now seeking asylum in Russia, was the Grey Hat hacker, thinking about the greater good of the nation and its people, he is now a target and a wanted man, for committing perjury and hacking the NSA.
The government’s use of technology to hack and record millions of conversations cannot be deemed ethical in any way. It is clearly evident that government officials are in need of policing and the defects of EH are but apparent.
Regardless of the negativity surrounding how the government use Ethical Hacking, it is clearly evident that the benefits outweigh the drawbacks, Militaries are trying to protect and secure assets they have worked years to build and spent a fortune on, weaponry and arsenal now runs on software making it useless if hacked into. Surveillance used to manage and run air control from flights coming in and out the country are in jeopardy if breached. EH is a must in order to prevent a whole nation from falling, regardless of the drawbacks and the misuse, protection of lives holds the highest priority.
There are several benefits and drawbacks of applying EH today, teaching students however has come across as the most concerning from them all as altercations such as misuse and not knowing the intent of the learner cannot be drawn from tests alone, however the necessity of applying EH within a professional and business level is very important due to the necessity of networking today and how technology has advanced over time. Governments need to ensure they are ready to tackle any external attacks from cyber criminals and foreign nations, however policing government procedures should also be considered in order to protect citizen’s confidentiality and privacy.