News Stay informed about the latest enterprise technology news and product updates.

Are offensive hacking courses ethical? Debating the ethics of hacking

News roundup: Colleges across the country are offering courses in offensive hacking, but are they ethical? Plus: Why the first 'online murder' may happen in 2014; Palo Alto and NSS Labs make up; numerous Android security issues surface.

Is a hacker still a hacker even if he's called an "ethical" hacker? After all, a rose by any other name would surely...

smell as sweet.

There are numerous types of hackers: the good guys (aka "white hats"), who do it in the name of security and the bad guys (aka "black hats"), who do it for the profit or the fun of it. Then there are the somewhat hard-to-label gray hat hackers, script kiddies and hacktivists. All of them hack, but does it mean they're all malicious?

The ethical hacking debate has been burning for years. Adding fuel to the fire are the colleges across the United States that are offering courses in "cyberoffense" -- aka hacking. A recent Washington Post article raised several questions about the ethics of teaching offensive hacking courses. And while the teachers in the article stated that required ethical lessons are taught during these courses, it's impossible to know whether those ethical safeguards will be ingrained into the minds of students -- nor is it possible to know students' true intentions for taking the course in the first place. The skills taught in these courses are required to land some of today's best information security jobs -- and to fill the growing number of cybersecurity positions open in the government, military and business sector alike. One of the teachers even told the Washington Post that he will not accept students into his class if they don't promise to work for the NSA, Department of Energy or other U.S. government agency (if hired) and promise not to work for the private sector. Yet, as the adage goes, promises are made to be broken; no one would put broken promises and lying past a malicious hacker.

However, a side debate is brewing on what exactly offensive hacking is, and what the end result of offensive courses should be. In an impromptu Twitter discussion this week, noted security researcher and author Dino A. Dai Zovi and John Hopkins University professor Matthew Green offered their opinions on the matter.

As Dai Zovi noted, and attackers have proven time and again, the same old defenses don't work. Green retorted, questioning whether the training of students for the exclusivity of the NSA and other government work is in fact ethical, yet Dai Zovi asked if this was why offensive hacking courses were offered, and wondered whether exclusionary courses were the answer.

The issues raised by Dai Zovi and Green on the ethics of teaching offensive hacking are indicative of the debate that's gone on for years. Yet, even the task of defining offensive hacking -- including who should be trained it and why it is needed -- makes it a difficult debate for even the most knowledgeable in the security industry to settle conclusively. Beyond those points, should said courses be open at universities and colleges to potential black hats and white hats alike, or should they be offered to only those vying for particular jobs in a particular business? Is that ethical?

When used in an ethical manner, offensive hacking can save many businesses from experiences serious threats; in fact, it already has and it will continue to do so. However, as new ethical hacking concerns arise -- such as the need and potential exclusivity of offensive hacking courses, or even defining offensive security in the first place -- the debate will continue to rage on.

In other news

  • After last week's "war of words" between Palo Alto Networks Inc. and NSS Labs Inc., this week it appears that amends were made. NSS Labs' Founder and Chief Research Officer Bob Walder and Palo Alto's Senior Vice President of Product Management Lee Klarich both posted blogs yesterday about the companies working together to rectify the issues that led to dismal ratings for Palo Alto's PA-3020 next-generation firewall in NSS Labs' recent NGFW tests, saying that a fix for the flaws was distributed Thursday morning. "Through our own testing efforts and through working with NSS," Klarich wrote, "we were able to replicate the two issues and focused immediately on a fix, which has been completed and is now available." Walder noted, "A FULL test of the product is now underway to ensure that these fixes have not adversely affected the product in other ways, and a new Product Analysis Report (PAR) will be published in due course."
  • A report from Europol released this week alludes that the first "online murder" may happen sooner rather than later -- possibly by the end of the year. In its annual Internet Organised Crime Threat Assessment, the European Union's law enforcement agency highlighted the security issues surrounding the Internet of Things and claimed, "With more objects being connected to the Internet and the creation of new types of critical infrastructure, we can expect to see (more) targeted attacks on existing and emerging infrastructures, including new forms of blackmailing and extortion schemes (e.g. ransomware for smart cars or smart homes), data theft, physical injury and possible death." Europol referenced a 2013 IID report that predicted the first online murder occurring before the end of 2014. In its report, IID cited former Vice President Dick Cheney's pacemaker hacking concerns, FDA reports of vulnerabilities in Internet-connected devices, and the conspiracy surrounding the death of journalist Michael Hastings last year in what some consider to be the fault of an automobile cyberattack.
  • A joint report from Kaspersky Lab and INTERPOL released this week revealed that Android devices -- which make up about 85% of all mobile devices -- saw a spike in mobile malware in 2014, receiving nearly 98% of all existing threats. Research also showed that 175,442 new, unique malicious programs were designed for Android in the first half of 2014 -- 18% more than in all of 2013. In other Android news, security researchers from Lookout Inc. claim that the two Web browser security vulnerabilities discovered by researcher Rafay Baloch in September are much bigger than initially reported, affecting more than just the AOSP browsers on Androids to include other browsers based on AOSP code. In a blog post, Lookout predicted that 45% of Android users run a vulnerable browser and could potentially be exposed to data theft or worse. The vulnerability, Lookout found, also varied greatly depending on country. Eight-one percent of users in Japan were vulnerable and 73% in Spain; the number dropped to 51% in the U.K. and 34% in the U.S.

Next Steps

In this excerpt from Hacking for Dummies, author Kevin Beaver discusses how malicious users think and work to help enterprise security administrators defend their systems.

Don't miss Kevin Beaver's 10 crucial ethical hacking lessons, as well as ComputerWeekly's inside look at a career in ethical hacking.

Also -- learn more about securing the Internet of Things and Android device security.

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Which side of the ethical hacking debate are you on? Should courses in ethical hacking be taught?
Cancel
Of course that they should be taught! It's like in the war. It's always better to implement good defense when you know your enemy's tactics of offense.
Cancel
If that argument is right, then as a public service we should offer courses in armed robbery, fraud, identity theft, assault, etc. They would be very popular. Obviously people might be better prepared to defend themselves if more were known about how to do them, right? No - it is a crime. It should be treated as that, not as  a white collar job.
Cancel
In this world of ever growing cyber crime, it is inevitable for every organization to have security strategy awareness program which largely depends on their risk perspective and tolerance. And for this to be effective and efficient ,there is need for "Offensive ethical training"  My adage says that "if you wish to catch a thief, you must go undercover to learn their methods,way of thinking and mindset"
However, caution must be applied so that "wolf will not be clothed as sheep". Trainers and intending students must be made to sign contract(s) that is enforceable by local or international laws to guide against any unethical use of the skills acquired.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close