Monday, August 4, 2014

Defensive Ethical Hacking

In 2006 Eric McCarty pleaded guilty to a SQL injection attack into a database at the University of Southern California.  The prosecutor and the court rejected McCarty's defense that he was a "security consultant" just doing what such consultants do.  His defense counsel claimed that he had acted responsibly by only giving the records of seven people to a reporter.  By pleading guilty, McCarty avoided jail and served only six months house arrest.

Several years earlier, while working on a gap analysis at a major media conglomerate, I became aware of a penetration test by a competitor that ran amuck.  It seems that after successfully penetrating file servers, the consultant arbitrarily extended the test to include an AS/400 on the client's network triggering multiple alarms and involving the FBI.

These are only two examples of so-called "ethical" hacking that went awry.  Without addressing the issue of whether "ethical" is a matter of motive or behavior, I have always had a set of defensive rules that I have imposed upon myself, my clients, and my associates that are intended to, among other things, keep me out of courtrooms and jails.

The first of these rules is that I do not engage in covert or clandestine activities.  My client, including all his personnel, must know about and acknowledge, all the activities in which I am to engage.

I do not engage in fraud, deception, or other forms of social engineering, not even for money.  I already know that these attacks will work; they have worked throughout human history.  I do not need to embarrass the client or his people to demonstrate that I am a proficient liar.

I do not work without a contract or letter of agreement.  Such a letter is part of my authority to do what I do.  It also demonstrates that both the client and I understand the extent and limitations of that authority.

I do not work for free.  There is little better proof that I was engaged by the client to do what I did than his check.  McCarty had no letter of agreement, much less a check.  Out of respect for my professional colleagues, I do pro bono work only for bona fide non-profits.  I price my work at my normal rates and require that the beneficiary acknowledge my contribution with a receipt.

I do not work alone.  I prefer to work with the client's people; failing that, I work with my associates.  Not only are my collaborators potential witnesses for the defense, they act as an ethical check on my behavior.  One is far less likely to cross an ethical line with another watching.

I do not share the client's data with others not expressly authorized by the client to see it; not even with the authorities.  If the state wants my client's information it must get it from him, not me.  Short of torture, it will not get it from me.  (I do not contract or commit to resist torture; even if I knew my own capacity to resist it, I would not know how to price it.)

Not all my clients or even my associates like all of these rules all the time.  Clients may think that disclosing all of my activities to his emploeyees in advance defeats his purpose.  There are those in my profession who deceive client personnel for the purpose  of discovering vulnerabilities or demonstrating naivete.  If the client wants that done, he should engage those professionals.  Some of my associates may feel that such activities are effective or that always working with others is inefficient.

I will not knowingly or willingly engage in any behavior, such that if I were caught in the act of that behavior it might embarrass or alarm me, my associates, the client, or the client's people.

These rules may increase my cost of service or even reduce my potential revenue.  However, they are both defensive and conservative.  They act early to help me avoid ethical conflicts and assist me late in resolving such ethical dilemmas as may arise in the  course of an engagement.

They have served me well.  They might have saved McCarty from conviction.  I commend them to you.

No comments:

Post a Comment