Ethics and Introduction
Ethics in computer security.
Objectives
- Understand why you should behave ethically in the field of offensive security
- Understand how to ethical behavior in the field of offensive security.
Introduction
Disclaimer - This article does not constitute actual legal advice.
Hack a Bit is designed to teach you how to become a Security expert in a fun, challenging but supported environment.
- Be good. And hack things.
- Be good at hacking things.
When people think of hackers, they often think of something like this...
When hackers make the headlines, it's usually about some criminal organization breaching the systems of a large company or the government. Many people question why. The best security people know how to think like an attacker. Before we begin, we'll take a quick look at what it means to be an ethical hacker.
Lesson
Terminology
- White-hat hacker - someone who hacks with good intentions. *With permission*, white-hat hackers attack systems to identify vulnerabilities and help make them more secure.
- Black-hat hacker - someone who hacks with malicious intentions, usually engaging in criminal activity.
- Gray-hat hacker - someone who hacks with good intentions but without permission or through ethically questionable methods.
Reasons to Choose White-Hat
- You can probably make more money. Many white-hat hackers will work as security consultants or find employment with a company looking for security professionals. According to Glassdoor, the average security engineer can expect a salary of $111,000. On the upper end of compensation, C-suite level positions in major corporations (CIO, CISO) earn millions of dollars.
- You avoid going to jail. There are a variety of laws in the US that allow for the prosecution of cybercrime, most notably, the Computer Fraud and Abuse Act. The government has been getting progressively more aggressive about prosecuting cybercrime in recent decades.
Examples of Cybercrime
- Identity theft
- Financial fraud
- Blackmail
- Ransomware/destruction of data
- Adware/spam
- Leaking software/data
- Running botnets
- Piracy, software cracks, and other warez
Rules to avoid Jail
We won't be discussing the specifics of the law, but if you
1. Don't touch things that aren't yours - Never attempt to exploit a system you haven't been given explicit permission by the system owners. In Hack-a-Bit, you will be provided an environment where you are authorized to attack systems--just like a traditional white-hat!
2. Follow the rules - When performing a penetration test, ensure you have a written Statement of Work (SoW) or Rules of Engagement (RoE) from the system owners with a well-defined scope. Systems that are not within the scope should not be tested.
3. Observe software licensing and EULA.
Bug Bounty Programs
Many companies have begun offering bug bounty programs, where they give you permission to perform security assessments of their software and systems. Many will even pay you for doing so! **HackerOne**, **Bugcrowd**
Responsible Disclosure
Even without a bug bounty program, it is still advisable to engage in responsible disclosure if you find a vulnerability in a system so that the issue can be fixed.
How to Responsibly Disclose
- Contact the system owners and provide relevant technical details on the vulnerability you found
- Give them time to fix the software
- Make sure patches are released before publicly releasing information about the exploits
Conclusion
Ultimately, how you choose to wield your security skills will be your responsibility. We hope that you make good decisions along the way. Happy hacking! 😊
Extra Reading
Interesting Case Studies
- Viewing website HTML code is not illegal or “hacking,” prof. tells Missouri gov.
- The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet
The Law
- Computer Fraud and Abuse Act
- The Most Controversial Hacking Cases of the Past Decade
- Why Are Rules Of Engagement Important To My Penetration Test?