Digital Oxymorons: Ethical Hacking Explained
The term "computer hacker" started out in its current meaning of "virtual criminal break-in and entry" in the mid-sixties. A technical dictionary from 1975 lists the term in its modern sense. It started out as a negative term used to describe people who attempted to gain unauthorized access to computer systems. Over time, though, it gained positive overtones when used to mean clever shortcuts and insight in the performance of various tasks.
Today, a curious alternative form of the term exists -- it's called ethical hacking, and it describes hacking to help a business with its computer security aims, rather than to gain access with criminal intent. The term isn't as oxymoronic as it may at first appear.
Who Is A Ethical Hacker?
Below video explains it in simple beginners language.
What is CEH (Certified Ethical Hacker) ?
(By: Matt Walker )
CEH Certified Ethical Hacker Exam Guide is one of the best books available for doing CEH certification. This book includes all topics covered by EC-Council's Certified Ethical Hacker exam. The author of book is a information security expert.
The book includes examples and sample questions for practice. The bundle also comes with a CD that contains practice exams and ebook version of same book.
Ethical Hacking In News
From the widely publicized report of the computer expert who used the onboard Wi-Fi on a commercial airliner to hack into the flight computer to the DARPA experiment where experts hacked into the GM OnStar system on a car to actually control it (it was reported on 60 Minutes), ethical hacking is a form of vulnerability testing and solution finding.
Yet, some kinds of ethical hacking can cross the line. If an airline company paid a security expert to attempt to hack into one of its commercial services just to see if it was possible, or of a car company were to try its ethical hacking on a car actually driven by a customer, it would be not only would it be highly unsafe, it would be criminal.
The problem here is that since ethical hacking is new and with no clearly established guidelines, businesses attempting to establish security run the risk of crossing lines without even realizing it. According to SEC-TEC (visit website), if your business invests in ethical hacking, it's something to think about.
How To Hire Ethical Hacker?If your business plans to hire an ethical hacker, ask about their ethical code
In one case often discussed, insecurity conferences, an ethical hacker at the University of Washington who needed to quickly pin down an ongoing series of attacks, copied and distributed the malware on the local network himself. While he wasn't prosecuted for distributing malware, he might have been.
In another case, an ethical hacker attempting to get to the bottom of a hacking attempt at a business gained access to the hacker's stash of personal, identity and financial confirmation. Since there was no specific permission obtained for access to the information his actions were technically illegal.
This is why most reputable security firms have a code of conduct or code of ethics, and require their testers to adhere to them.
Ethics is even taught (at least implicitly) at colleges focusing on this area of IT and technology. For example, some graduates of the University of Advancing Technology, in Tempe AZ, have published their own “Code of Ethical Hacking” online. We have also covered ethical hacker issues in this post.
Virginia Tech discretely publishes a code of ethics, referencing Steven Levy’s 1984 “Hackers: Heroes of the Computer Revolution.”
In most cases, regardless of the source, the code is the same or very similar. Codes typically define what hacking is, how it is to be used, and a general philosophy on sharing of information and computers in general.
There is some general agreement that hackers should not steal information or resources, lie, or engage in any illegal or unethical practices. They should, however, be responsible, dependable, adopt a leadership role, be professional, exercise self-control, and not be ashamed to hack into systems where they have permission to do so.
Before you hire a firm, ask about its code of ethics and whether its staff are certified as ethical hackers (i.e. the Certified Ethical Hacker training and certification program). If it doesn’t have one, consider another firm. If it does, it should conform to the generally accepted code of ethics in the marketplace. If it does not, ask why.
Either way, you should require any security vendor to sign a statement that indicates what work they will do, what they won’t do, and how they will treat your systems -- especially sensitive systems that contain company financial information, passwords, and any databases with sensitive customer information.
In some instances, your security vendor will be bound by law to treat certain types of data with care. For example, healthcare information is protected under various laws.
Lawyers Can Help
A lawyer can help an ethical hacker and the business that employs him determine how close to the edge of the law they can skirt. If sensitive information is obtained, the lawyer might advise keeping records of how it is to be protected.
Should information collected leaked, it could be considered the ethical hacker's fault, and the fault of the company employing him. Ethical hackers should also be under nondisclosure agreements to make sure that they do not disclose sensitive information.
A non-disclosure agreement (NDA) protects you, the business owner, from a hacker leaking information to third-party competitors or anyone not working in the business or with authorization to access the information on your systems.
A good lawyer can draft one for you, and it will outline the basic responsibilities for both you and the hacker you’re working with. The NDA will also include exclusions that comprise information that’s already either public knowledge or that is non-proprietary. The agreement will also specify time limits on how long the NDA should remain in force.
Make sure you understand all elements of the NDA, check out samples forms from popular legal websites, and never sign an agreement that requires you to waive some or all of your rights to intellectual property. New businesses in particular can be vulnerable to legal attacks and exposure, so having the right policies in place from the start will keep you in good stead.
Finally, just because a security vendor signs an NDA doesn’t mean that he or she will always abide by it. The old adage in business still holds true: do business with people you know and trust. A legal agreement makes everything legal, but you can’t enforce honesty or integrity.
Liam Taylor is a freelance security consultant working mostly with start-ups. In his spare time he is a regular writer for IT blogs on a range of cyber-security topics.