As cyberattacks have increased in frequency and sophistication, businesses have been forced to take a more proactive approach to countering cybersecurity threats.
In response, the ethical hacking industry has witnessed a 350% growth so far, with the industry set to grow at 21% per year. Right now, ethical hackers are sought out more than ever to work against cybercriminals to beat them at their own game.
However, earlier this year when international cyber-gang Lapsus$ attacked major tech brands and was punished by the cybercriminal community as a result – a fresh debate was born. Can there be honor among thieves? Is there at least some unspoken code of conduct being followed by cybercriminals?
If so, this raises a question for the wider law-abiding hacking community, should we have our own code of conduct?
Ethical hacking 101
Ethical hackers assess a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and fixing any flaws before they fall into the wrong hands.
Ethical hacking requires the knowledge and permission of the business before infiltration. However, it’s only part of a wider set of actions white hat hackers must consider so they don’t fall into the black hat trap. Here are some guiding principles for white hat hackers to protect themselves and the businesses they work for:
- Hack responsibly.
It’s imperative that hackers have permission and understand the extent of access the company gives, as well as the scope of the work they do. Target knowledge and a clear scope help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal. Ethical hackers do not steal. Rather, bring awareness to any organization on the people, process, and technology levels.
- Prioritize paper trails.
All good hackers keep detailed notes of everything they do during an assessment. First and foremost, they must protect themselves. For example, if an issue occurs during a penetration test, the employer will turn to the hacker first. Having a timestamped log of the activities performed, whether it’s exploiting a system or scanning for malware, reassures businesses that hackers are working with them rather than against them. Detailed notes also uphold the ethical and legal side of the equation. They form the basis of the reports hackers produce, even when there are no major findings. The notes will let them highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.
- Practice constant communication.
Ethical hackers should clearly define open and timely communications and establish it when drawing up a contract. For example, it’s good practice to always notify when assessments are running: it’s vital to send a daily email with the assessment run times. Although hackers may not need to report all the vulnerabilities they find immediately to their client contact, they should flag any critical or show-stopping flaw during an external penetration test. This could present itself as an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers should stop testing, issue a written vulnerability notification via email, and follow-up with a phone call. This gives the business a chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged. Hackers should keep their main points of contact aware of their progress and any major issues they discover. This ensures all parties are aware of any issues ahead of the final report.
All hackers are driven by the curiosity to discover how computer systems work and find innovative ways to solve complex problems. Hackers must keep developing this curiosity and never stop learning. This lets them think both from a defensive and an offensive perspective while not blurring the lines between. By following best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results on the right side of the law.
A code of conduct for hackers could make all the difference to separate the good players from the bad ones. First and foremost, this can protect white hats and avoid unnecessary lawsuits. At the end of the day, these security professionals are there to help businesses and do everything in their power to keep them as protected as possible. Having a set of guidelines distinguishes the good guys from the cybercriminals, and also lets businesses employ hackers with more confidence.
Haris Pylarinos, founder and CEO, Hack The Box