Article

Ethics in hacking

By Dale Meredith

When someone hears the word “hacker”, they often conjure up an image of a dark room and the glowing light of a laptop screen shining on the face of someone sinister-looking. The reality of ethical hacking is, of course, quite different. “Hacking” just means utilizing a device in a way that it wasn’t meant to be used, and ethical hacking is extremely valuable to companies wanting to protect against cyber breaches. 

However, even “the good guys” need to watch themselves. Here are some things to keep in mind if you want to hack ethically, whether you’re a beginner or a seasoned pro. 

Just because you can, doesn’t mean you should.

Ethical hackers are exposed to tools, techniques and information that attackers use to breach networks and systems. That means they have both great power and great responsibility. It goes without saying that you should never use your knowledge to create harm or for personal gain. 

Constantly ask yourself, “Do I have the right to do _______?”

With knowledge can come the temptation to overstep the line, so it’s good practice to regularly ask yourself if you have the right to do something—to ensure you stay well within the boundaries of ethical hacking. 

I was once on a cruise ship that only offered internet access for a very expensive fee. As an ethical hacker, I had the knowledge, tools and techniques at my disposal to not only provide myself with free internet, but to explore the network and take a look at other passenger’s devices. But none of that would have been morally sound. So I paid the fee and focused on better things, like making sure I was safe on the cruise ship’s network by using a VPN!

Pledge to yourself that you’ll always make the ethical decision, even when it’s tempting not to. 

Don’t breach a network just to prove it can be done.

Some ethical hackers can feel tempted to do this, sometimes with the goal of soliciting engagement from a company. (“Look, I breached you, you should hire me to help you fix your mess.”) This is a passive-aggressive method of extortion that could get you into a lot of trouble (potentially even jail time)—so don’t go there. 

Never use pirated software to conduct a pentest engagement.

This is a big issue in the security industry. As an ethical hacker, you should be aware of the damage you can do to a client’s network when you use pirated software. Your responsibility is to protect your clients, not create new attack vectors or put your client in jeopardy.

Never use someone’s data for personal gain.

Again, your clients look to you to protect them from cybersecurity risks, not to open up more. However, if you discover information that must be legally reported to local or federal authorities, you must act—even if the client asks you not to report it. 

I once had a situation where someone who hired me was collecting and distributing illegal material that involved children via torrents on his work system. It wasn’t something I’d ever expected to have to deal with, but I reported it immediately—as should you in a similar situation. 

Decide in advance how you’ll respond to temptations.

It’s imperative that every security professional conducts an honest self-evaluation and reminds themselves why they chose the profession. Prepare yourself in advance, knowing that temptation may come, and know the ethical stance you’ll take in any given situation. This keeps you from having to make an in-the-moment decision when an opportunity presents itself. 

Through personal commitment to ethics and advanced planning, you can ensure you’ll show up with integrity whatever happens, and will keep your reputation and personal brand strong and trustworthy.

About the author

Dale Meredith is a high-demand contract Microsoft Certified Trainer and project consultant. Along with his 17 years of experience as an MCT, Dale also has an additional 7 years of senior IT Management experience. Dale worked as a CTO for a popular ISP provider and a Senior Manager for a national hardware supplier. His technology specialties include Active Directory, Exchange, Server, IIS, PowerShell, SharePoint, System Center/Desktop Deployment, and Private Cloud. Dale's wide network of IT contacts stay connected through his popular blog site at www.dalemeredith.com.