Is teaching offensive hacking skills ethical? Isn’t this akin to handing loaded guns to learners? Is ethical hacking justifiable?
Proponents argue ethical hacking helps detect computer system and network vulnerabilities before malevolent hackers exploit them. Opponents say ethical hacking tools can be misused to inflict harm and that companies misuse it as a quick-fix option instead of proper security testing during product development.
Let’s explore both sides of the argument by looking at what ethical hacking is and why it can be controversial from either perspective, starting with how ethical hackers help organizations defend against cyber threats.
Reasons Why Ethical Hacking Is Ethical
Breaking into a system to test its security isn’t new. Automobile crashworthiness testing dates back decades. Ethical hacking is nothing more than making this approach applicable to internet security. It’s an invaluable tool for proactive security, and it’s expected to create 3.5 million jobs globally by 2025. Ethical hacking can be justified for the following reasons, among others:
1) Identifies Vulnerabilities In Computer Systems And Networks
Ethical hackers believe the best method to defend a system is to probe it to uncover security issues before malicious hackers do.
Ethical hackers employ proof-of-concept attacks to exploit system and network vulnerabilities. This gives organizations the opportunity to identify and patch up missing security patches, misconfigurations, software flaws, and other system weaknesses that could be targeted by attackers.
2) Reveals How Security Concious Employees Are
When ethical hackers are gathering information about their target organization, they may use social engineering techniques and try to gain access to the system by asking employees for information.
This can help an organizations discover how well their employees understand security and if they are truly following the correct procedures when it comes to protecting confidential data.
3) Assesses The Company’s Public Information
Ethical hackers try to simulate how an attacker who doesn’t know anything about a system would try to break into it.
In doing so, they search the entirety of the internet and compile data about the target organization from various public databases. If this information can be used to construct a password dictionary that can brute-force the organization’s systems with success, then the organization needs to take steps to protect itself better.
4) Ethical Hacking Is Authorized
Penetration tests are performed cooperatively with the organization’s staff. The company allows the ethical hacker to intrude into its systems and launch simulated attacks to test for known vulnerabilities. The ethical hacker must work within the company’s parameters and report back on corrective patches.
5) Ethical Hacking Provides Insurance and Assurance
Penetration tests provides organizations with the assurance that their systems and networks can resist attacks. Also, they harden a system against malicious attacks and may even reduce the cost of cyber insurance policies.
Despite these justifications for ethical hacking, some people still consider it unethical.
Reasons Why Ethical Hacking May Not Be Justifiable
There are those who oppose ethical hacking on the grounds that it can be used for malicious purposes and that companies don’t always use it responsibly. Here are some of the potential issues with ethical hacking:
1) Misuse Of Tools And Technology By Hackers
The tools and techniques used by ethical hackers to penetrate systems have a dual nature. They can be a foe in the wrong hands, causing system damage and unauthorized access to confidential data.
2) Can Be Used As A Quick-fix Solution
In most cases, the time-to-market pressure is so great that many businesses don’t pay enough attention to security during development or products. As such, they may rely on ethical hacking as a quick-fix solution to harden their software instead of investing in proper security measures during the development process.
3) Risk Of Non-Authorized Hacking
The risk of non-authorized hacking is always present, even when ethical hacking is being used. Without proper security controls in place, malicious hackers can find their way into the system and exploit its weaknesses.
4) Limited Scope Of Testing
Penetration testing does not cover all potential vulnerabilities and attacks that a system could face. It typically focuses on the most common types of known attacks, so some security issues may be overlooked, and real attacks may exploit vulnerabilities that have not been publicized.
5) Security Firms Have An Incentive To Hype Threats
Ethical hacking firms are paid to find potential vulnerabilities, so some of them may be tempted to exaggerate the threats posed by those vulnerabilities.
Despite these drawbacks, ethical hacking remains an important tool for organizations to use in order to maintain their cyber security.
Security Recommendations By Ethical Hackers
Ethical hackers can help organizations protect their systems by providing security recommendations that should be taken into consideration when building, deploying and managing computer networks and systems. Some of the most common recommendations include:
• Regularly patching systems against known vulnerabilities: Keeping up with software updates and patching is an important measure in protecting your system from the latest known threats.
• Installing firewalls to limit exposure of services: Firewalls can provide an effective layer of security by filtering incoming and outgoing traffic. It can limit what outsiders see, or have access to.
• Block Scans: Organizations should also consider blocking scans from external sources to prevent attackers from gathering information about their systems.
• Educate employees: Regularly training employees about security best practices helps to create a security-conscious work culture.
Ethical hacking is a controversial but necessary field. While some people argue that it is unethical to teach others how to hack, the truth is that ethical hackers are vital in helping organizations protect themselves against cybercrime. If you’re interested in learning more about ethical hacking, be sure to check out LinkedIn Learning’s ethical hacking learning path.