This great question was posted on LinkedIn and it got me thinking.
In the strictest use of the phrase ethical security testing – I believe an accurate description would include:
- explicit instruction
- owned system
However, we need to get pernickety about definitions with this phrase:
‘No-one got hurt’ or ‘no data was exfiltrated’ perhaps.
A wide description can be inferred here – but let us allow the words ‘attack’ or ‘exfiltration’ to be used.
So let us see if these example instances are Ethical Hacking and therefore explore the relevance and use of the phrase :
An Anonymous DDoS is ethical hacking is it not ?
- Ethical – fighting for the masses,
- Hacking – a form of hacking is DDoS.
Technically yes and no. Ethical – whose ethics ? Ethical in that it is a their belief they are fighting for, so I guess yes, but hacking – DDoS. Hmm I have a problem with DDoS as it is an orchestrated attack with the intent to cease traffic hitting a website or web service. As a result of the ‘intent’ I believe that this no longer becomes ethical.
Is Edward Snowden an ethical hacker ?
- Ethical – he released documents that exposed government misdemeanours
- Hacking – using social engineering techniques.
No, because he broke the law. Quite a simple line here. Irrelevant of what the Governments allegedly have been up to, he broke the law by stealing information and for that this is not ethical hacking – but crime.
NSA backdoors in common-use technologies
- Ethical – they are protecting the greater good of the US
- Hacking – creating backdoors in code for later use
Here we see an easy delineation – there is a potential Ethical standpoint, but there is no visibility / transparency of intent and as such, no ethical standpoint.
Ethical Hacking is a not so common term and we are more used to seeing Ethical Security Testing. This implies testing – part of a project lifecycle. The very introduction of the term hacking takes an already broad term Ethical and muddies it with an already media-hyped phrase Hacking and as such creates a phrase which could describe crime or business activity. As such, I would recommend to avoid using the term Ethical Hacking and concentrate on a much stricter phrase Ethical Security Testing.