Ethical Hacking: the Three Shades White Hat, Black Hat, Gray Hat - Literature review Example

? Ethical Hacking Table of Contents I. 3 II. Introduction 3 III. Literature Review 5 References 11 I. This paper undertakes a review of the literature relating to ethical hacking and its related concepts. It touches on aspects of hacking relating to distinctions among white hat, black hat, and gray hat hacking, and justifications for the existence of hacking and hackers tied to making systems more secure. The literature review itself focuses on detailed security justifications for white hat hacking; examples of effective and beneficial white hat hacking activities; the need for inputs from black hat and gray hat studies to make systems more secure; the persistence of security justifications for hacking in the literature; and some legal considerations tied to hacking (Sanger, Barboza and Perlroth, 2013; Navarro, 2013; Olson, 2012; Palmer, 2001; Brodkin, 2009l Lemos, 2002; Farsole et al. 2010; Snyder, 2006; Mahmood et al., 2010; Smith et al., 2002; Pashel, 2006; Raether, 2008) II. Introduction Hacking has become the stuff of national security talk in the US and other countries recently, with the proliferation of news with regard to accusations that China is leading a concerted effort to hack into very critical systems owned by the US government as well as private enterprises around the world. Some of the most recent reports tie the concerted hacking efforts to the Chinese military, indicating that not only is the hacking sanctioned by government, but is being done with its active support, with the intent to gain from the vast intelligence that can be had from the hacking exercises. This recent spate of news has put hacking in a bad light. Clearly this kind of hacking is unethical, because of the intent to gain from illegally breaking into global information systems, and without the permission of the system owners. From the point of view of international law, this is unethical and clearly criminal (Sanger, Barboza and Perlroth, 2013; Navarro, 2013; Olson, 2012). On the other hand it is worthwhile to note that ethical hacking is offered as a course in some universities, as in the case of a course offering in Northumbria University, entitled Ethical Hacking for Computer Security Bsc. It is an honors course. The goal of the course is to be able to produce ethical hackers who are adept at penetrating into systems with the use of tools to hack into them, so that the weaknesses and flaws of those systems may be identified and strengthened/addressed appropriately (Northumbria University, 2010). This testifies to many things, among them being that ethical hacking is a mainstream, legitimate activity, rather than something that can be deemed as criminal. The intent here is to bolster security rather than to breach systems with malice and with an intent to commit crimes. This is reflected as much in the Oxford Dictionary definition of the term, which also underlines the growing importance of ethical hacking and ethical hackers to be able to make systems more secure (Oxford University Press, 2013). That ethical and unethical hacking both exist, as typified by the two contrasting examples above, is further reflected in the way these two types of hacking are immortalized in the literature, via the contrasting designation of black hat hacking representing the practice of unethical and criminal hacking, and white hat hacking, or ethical hacking. There is also gray hat hacking, which, as the term connotes, is part ethical and part unethical. This latter term also denotes a hacker who has had experience with doing hacking on both sides of the fence. The arguments against hacking in general point to the aspect of the debate with regard to whether hacking has any place at all in legal society. This line of thinking says that all hacking is potentially illegal. Those in favor of ethical hacking, on the other hand, admit as much, but then posits the example of the locksmith. If one is locked into a house, for instance, because one lost the keys to the door, then it makes sense to call a locksmith to create new keys, and to therefore allow the inhabitants to leave the house safely. All locksmiths are potentially criminal, but there is no question that the world needs locksmiths. The same can be said too, of ethical hackers, according to its proponents. Moreover, given the proliferation of concerted hacking attacks, it makes a lot of sense for governments and private companies to try and fortify their systems to make them invulnerable from hacks. For this kind of work they need very good ethical hackers to be able to identify the weak areas of their systems defenses, and to plug those weak areas and make them stronger. Ethical hackers can also be employed to make sure that systems are able to stay many steps ahead of the hackers, as technologies for hacking improve (Sanger, Barboza and Perlroth, 2013; Navarro, 2013; Olson, 2012; Palmer, 2001; Brodkin, 2009l Lemos, 2002). III. Literature Review The literature details the progress in thinking with regard to the necessity of hacking in order to make systems more secure. In the context of the growing interconnection of systems around the world, it is important that hacking is made part of the processes that test the integrity of the systems and the interconnections. Doing so has been the job of hackers for years, going back to the 1960's. The explosion in the use of the Internet has made the job of the hacker more not less relevant. The thinking here is that ethical hacking is something that cannot be done away with, and that the long history of hacking, emanating from the most prestigious technical universities in the world and in the most important commercial organizations, point to ethical hacking being not a matter of choice and preference but something that is vital to the design and maintenance of systems. One cannot do away with ethical hacking, without compromising system design in some major way. Given the interconnectedness that the Internet brings, moreover, it can be taken as a default condition that systems are to be routinely hacked from the external environment, and the assumption is that those systems that are weak and vulnerable are going to be breached. To design systems therefore without recourse to white hat hacking, or ethical hacking, as part of the stress testing, is to design and manage systems poorly (Farsole et al.. 2010). Examples abound with regard to the positive contributions of white hat hacking to making systems of all kinds more secure. Such examples include literature describing the use of ethical hacking to prompt network users to use passwords that are more secure, via the use of software for instance that can crack passwords that are less than secure. It is mundane white hat hacking, sure, but the results are very encouraging with regard to user impact and network security impact (Snyder, 2006). On the other hand, while the focus of many studies is on white hat hacking studies, the literature also contains papers that argue for a greater emphasis on the results of black hat studies. The argument is that while white hat hacking studies are useful, they tend to concentrate on certain assumptions as well as certain outcomes. This is because white hat studies are undertaken by those who are ethical in their own dispositions mostly. On the other hand, what is lacking in white hat studies in many cases are the perspectives of those who have so-called criminal minds. The thinking here is that criminal minds operate differently from sane and ethical minds, so that the way black hat hackers approach hacking is different. Without inputs from this side of the fence, therefore, the interventions that are created to patch vulnerabilities in systems may not be adequate. The further thinking here is that in laboratory conditions, the best students may not be able to simulate the thinking of sociopaths and criminals. They think differently, and hack differently. In a way hack-proofing systems is not really comprehensive without the inputs from black hat studies. The argument is that a complete view of the vulnerability of systems can only come from considering the perspectives of both the white hat studies, as well as the black hat studies. The proponents of this view argue further that in recent years, access to black hat hacking thinking has become easier, facilitated by the presence of hacking organizations and discussion forums, where both white hat and black hat hackers are able to share their ideas and insights into their craft. Moreover, the presence of a greater number of gray hats make it easier to gain access to insights from the black hat side of their practice, as they also share their findings with the their communities, and as the academic community is able to gain access to those insights (Mahmood et al., 2010). Elsewhere in the literature the same kinds of justifications are being made in papers that go back to the turn of the millennium, again pointing to the necessity of hacking in order to secure the systems that are being developed, run and maintained. The message that is repeated is that security is an important consideration, especially for very vital systems that handle the most important aspects of the lives of people, such as financial and health care systems, and mission critical systems that handle transportation for instance. Ethical hacking has a place in these. In networks, ethical hacking is employed to find out the weakest and most vulnerable links. In software development, hackers are used to subject the new software to all kinds of beta testing. In software that has already been deployed, ethical hacking is used in order to make sure that the software is able to handle the stresses and strains to which it is subjected to. The stress tests also guarantee that the software is able to run as it is intended to, in the wild. Moreover, from experience, it has been proven that ethical hackers find it in their interest to probe the systems that they work with, within their sphere of influence, to make sure that those systems are secure and stable. Hacking is necessary for this kind of probing work, akin to house dwellers routinely going through their dwellings to make sure that those dwellings are secure and free from vulnerabilities that thieves and other criminals may exploit, endangering the well-being and welfare of those residing in the house (Smith et al., 2002). Meanwhile the literature also deals with some of the ethical aspects of hacking education as well. One concern is that of weighing in on the ethics of teaching students about hacking itself. What are the ethical implications of such an education? On the one hand, it has been established that hacking is an activity that is vital to securing the safety and integrity of all kinds of computer systems. On the other hand, it must be a cause of concern that such power is being given to students through formal education on how to hack. Given the potential large amounts of power being given to students in this way, the literature notes that without incorporating responsible and ethical use into the curriculum for hacking, students may fall by the ethical wayside so to speak and misuse their hacking skills to break the law and to compromise the very systems they are taught to fortify with their hacking. The literature prescribes a host of interventions too, apart from teaching students ethics. That includes screening students to make sure that they are not criminals or sociopaths, and that they do not tendencies in their emotional and psychological makeup to break the law and perform black hat hacking. On the other hand what cannot be denied that care and scruple must be taken to make sure that hacker education must be accompanied by very strict guidelines and safeguards to make sure that the system is not educating students who will later turn out to be criminals (Pashel, 2006). There are legal implications to the work done even by ethical hackers, and those legal implications are tied to the increasing sophistication of network vulnerabilities and the necessity to give white hat hackers greater and greater access to even very sensitive systems and data, to allow them to secure those data and systems. The thinking here is that if systems are to be thoroughly secured and made robust and safe from intrusion, then they must be thoroughly inspected, stress-tested, and made invulnerable to black hat hacker attacks. This is the case for instance with sensitive government data, and data on the financial transactions of ordinary people. The recent news with regard to the alleged hacking of confidential government and financial systems from hackers from China underscores the importance of such work. On the other hand, as the literature notes, greater exposure to the systems and data given to white hat hackers bring them to the edge of what is permissible in law. Confidentiality is compromised, and in many cases the thin line between trusting the white hat hacker and worrying about the white hat hackers turning around and infiltrating the systems they stress test becomes even thinner. Sometimes the nature of the systems and the data being protected is such that even the most ethical hackers may be tempted to break the rules. The rewards from such activities may outweigh the risks for some ethical hackers. On the other hand, focusing on the law, today the literature notes that there are legal remedies to address these boundary conditions between the systems and the data on the one hand and the ethical hackers. The point here is that given the sensitive nature of the work on the one hand and the sensitive nature of the systems and data being secured, it is inevitable that gray areas in the law will arise, prompting all parties concerned to address those gray areas as they appear, with legal remedies that assuage the concerns of all of the stakeholders and of the community in general (Raether, 2008). References Brodkin, J. (2009). The legal risks of ethical hacking. Network World. Retrieved from http://www.networkworld.com/news/2009/042409-usenix-hacking.html Farsole, A. et al. (2010). Ethical Hacking. International Journal of Computer Applications 1 (10). Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.184.6791&rep=rep1&type=pdf Lemos, R. (2002). New laws make hacking a black-and-white choice. CNET News. Retrieved from http://news.cnet.com/2009-1001_3-958129.html Mahmood, M. et al. (2010). Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue. MIS Quarterly. Retrieved from http://www.misq.org/misq/downloads/download/editorial/538/ Navarro, P. (2013). Chinese Hacking and The Art of War. Huffington Post World The Blog. Retrieved from http://www.huffingtonpost.com/peter-navarro-and-greg-autry/china-hacking_b_2920096.html Northumbria University. (2010). Ethical Hacking for Computer Security Bsc (Hons). Northumbria.ac.uk. Retrieved from http://www.northumbria.ac.uk/?view=CourseDetail&code=UUSETH1 Olson, P. (2012)http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.184.6791&rep=rep1&type=pdf. Exploding the Myth of the Ethical Hacker. Forbes. Retrieved from http://www.forbes.com/sites/parmyolson/2012/07/31/exploding-the-myth-of-the-ethical-hacker/ Oxford University Press (2013). Ethical hacker. Oxford Dictionaries. Retrieved from http://oxforddictionaries.com/definition/english/ethical+hacker Palmer, CC (2001). Ethical Hacking. IBM Systems Journal 40 (3). Retrieved from http://pdf.textfiles.com/security/palmer.pdf Pashel, B. (2006). Teaching Students to Hack: Ethical Implications in Teaching Students to Hack at the University Level. InfoSecCD Conference '06/Kennesaw State University. Retrieved from http://www.big-daddy.fr/repository/Documentation/Hacking/Security/Teaching%20Students%20to%20Hack%20-%20Ethical.pdf Raether, R. (2008). Data Security and Ethical Hacking. Business Law Today. Retrieved from http://www.fgilaw.com/site/people/partners/links/1RIREthicalHacking.pdf Sanger, D., Barboza, D. and Perlroth, N. (2013). Chinese Army Unit Is Seen As Tied to Hacking Against US. The New York Times Technology. Retrieved from http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all&_r=0 Smith, B. et al. (2002). Ethical Hacking: The Security Justification Redux. Illinois State University/IEEE. Retrieved from http://vju-fiit-diplomovka.googlecode.com/svn/trunk/materialy/dp_20110502/egyeb/01013840.pdf Snyder, R. (2006). Using ethical hacking to educate users about secure passwords by cracking insecure passwords using readily available software. Proceedings of the 2006 ASCUE Conference. Retrieved from http://ascue.org/files/proceedings/2006/p251.pdf Read More