By 
Offensive security practices like penetration testing and red teaming are used to identify and address vulnerabilities before malicious actors exploit them.
Ethical hacking activities, while legal, often receive public scrutiny because they are associated with “hacking.” The term “hacker” is commonly linked to criminal activities, thanks to media portrayal.
We will follow the convention of using “hacker” to refer to those who “doing bad things,” and “ethical hacker” when referring to the “good guys.”
Anyone can be a hacker, just like anyone can be a criminal. And criminals, as we know, range from people that steal, cheat on taxes, murder, and so. The same is applied here. And the range is from someone performing a DDoS attack by mistake (more on that later), to malicious actors and state sponsored actors.
The legality aspect
In this domain, there is a nice joke circulating around when new aspiring ethical hackers ask around best practices and where to start, how to approach the offensive security domain.
And the joke has some truth in it: If any activity that you want to do is make you ask “is this legal”, it is probably not legal.
Explain?
For starters, accessing any website of course is legal, scoping into its source with inspect element and exploring is also fine. However, there is a fine line between “walking around someone’s property” and “going at their door and trying it on to see if it opens”. Because if it’s unlocked and you stepped in, that’s breaking and entering, and the act of trying to see if it’s opened or not is usually a misdemeanor.
We can use the same analogy here: unless we have explicit consent, we are not allowed to perform scoping and intrusive activities on websites as ethical hackers. The line goes easily from white to gray.
Usually when we get more experienced, we can let’s say better understand what’s good and wrong, but until then no:
- automated scanning of any kind
- vulnerability scanning a website, wireless device, IoT device, etc
- any intrusive mechanism that can vary from testing usernames and passwords, to even test various exploits (SQL injections, is one example)
But why?
Let’s tackle each section.
Automated scanning
This is the definition of stepping into a grey area, because even with companies or individual that request ethical hackers to test their app or device, there are certain rules set in place. One of it is not allowing the use of automated scanning. There’s one good reason for that: DDoS attack.
DDoS attack?
Whenever it’s done with malicious purpose, as hacktivism, or just plain scanning a website for laughs, without realizing later that the tool you are using is searching for various keywords on the website, and is actually querying thousands of requests on the server. This in turn effectively renders it unresponsive, unable to server the regular visitors on that website, and appearing offline. This is an extreme example, however, is not that hard to produce by mistake a DDoS attack. Not everyone is protected by CloudFlare.
The fine legality line on the internet can easily be crossed without us realizing it, and we can argue that crossing that line is easier over the internet, just like it is easier and more convenient to pay for something online than offline.
Vulnerability scanning
Previous principle applies here as well, with same risk. Or more risks, actually.
The first rule of fight club ethical hacking is to always get permission. If you do not have permission, you are not being both ethical and legal. Also, you risk a lot, even if you want to do something for positive reasons or learning purpose.
Is it ethical to do it? If you want to scan a website to check its vulnerabilities and report it to their owner, without asking for permission first, it can be ethical. But legal? No, it’s still considered ‘hacking’ and depending on the laws of the country, the penalty range from fines to jail time.
Any intrusive attacks
Performing this without consent, and sometimes even with consent is not in the grey area, and the line is crossed. Because you may do some damage with previous assessments, but here the risk to do irreparable damage by exploiting and testing various injection scripts and attacks is the highest.
Usually even if you are exercising a penetration testing with consent, you might need to be careful how you exploit. Because for example, if you exploit an SQL injection by inserting some script in a form, and depending on that script, you can alter the data in the site’s database. This is can be considered hacking with malicious intent.
|
1 |
SELECT * FROM users WHERE username = 'admin' AND password = 'password' OR '1'='1'; |
By injecting the always true statement, hackers can circumvent the password verification process and log into the application.
This example is the easiest to detect and take advantage of a vulnerability injection, such as an SQL injection. However, not only is unethical and intrusive, running various SQL statements can damage the database and cause irreparable damage if they don’t have backup. And even if they do, just by forcing a team of specialists to respond and fix can and will put you at legal risk to not only cover the fees, but maybe the penalty can extend to jail time as well.
Legality in Offensive Security
Offensive security is legal when there are explicit agreements between penetration testers and system owners. Pentesters use these agreements, called “scope of work,” to determine what they can access.
Legally, if there is permission, the actions are considered legal. However, the ethical aspect of cybersecurity is more complicated. As we presented with some examples, Pentesters may face ethical dilemmas where they have to balance legal boundaries with moral considerations. Usually when exploring vulnerabilities, the easiest road to determine and find various vulnerabilities may be the more intrusive and illegal ones, even if you received consent to explore.
Ethics in Offensive Security
While legality is one thing, ethics determine how Pentesters or Red Teamers operate within those boundaries. They may face situations that, though legally permissible, can raise moral questions. For example, gaining access to sensitive data or simulating attacks on employees through phishing tests may feel invasive, even if agreed upon in the engagement’s scope.
The Role of Consent in Ethical Hacking
Consent forms the foundation of ethical penetration testing. This is the first and foremost and what separates ethical hackers from hackers.
Photo by Boitumelo on Unsplash.