Summary of the Article, “Issues of Implied Trust in Ethical Hacking”
Issues of Implied Trust in Ethical Hacking
Hacking is obtaining access to a digital device, computer system, or network in an unauthorized or unintended way. The figure below explains the hacking concept.
Figure 1: The Hacking Concept
Alsubaie (n.d.) conducted a study that looked into the ethical hacking professions which despite it being an important part of the current information security strategies, does have an implied trust issue between the ethical hacking professionals and the organizations. This trust challenge mainly happens from the fact that this third party professional is given full access to the client’s systems and information. It is possible for the ethical hacker to exploit the privilege at the detriment of this client.
This is an issue that has been acknowledged by various researchers such as Yaacoub et al. (2021) who stated that this trust issue primarily related to fully trusting the third suspicious party to carry out an evaluation of the systems’ security levels. In the last decade, there has been an increase in the number of published articles discussing the implied trust challenge facing the ethical hacking professional as shown in Figure 1.
Figure 2: The Articles published year on ethical hacking and implied trust.
The penetration testing that ethical hackers carry out in the systems will permit the ethical hackers to be fully aware of information on the organization. The professional will know the exploitable vulnerabilities within the system and the present security gaps. With this understanding, the professional could easily choose to have the organization not address all these threats for their own malicious benefit. The primary concern has been that among the many white-hack ethical professionals, there is a possibility of having black-hat or gray-hat hackers that are capable of leaking the confidential information to malicious parties that are either the client’s rivals or cyber criminal groups without the company’s knowledge (Yaacoub et al., 2021). This would cause an extensively greater damage, implications, and severe effects at the detriment of the client. As shown in the figure below, the white hackers and the balck and gray hackers have different objectives.
Table 1: Comparison Table Between Hackers & Ethical Hackers
Figure 4: The White hat Hackers’ Activities
In discussing the implied trust issue, Alsubaie (n.d.) cited various scholarly works including the credible works by Georg Thomas with other researchers in their study, Issues of Implied Trust in Ethical Hacking. Georg et al. (2018) asserted that the high demand for ethical hacking services as part of the multilayered security programs implemented to protect the sensitive and confidential information. Notably, that research asserted that this implied trust issue continues to pervade due to the absence of a fully integrated professional ethical code of conduct in which the respective professionals will be required to abide by. Several existing codes of conduct could actually be used in developing the international unified code. These include the Australian Computer Society Code of Ethics, the Crest Code of Ethics and the E-Council Code of Ethics. However, the problem with the identified codes is that they are only mandatory for members that are certified by specific bodies. This means that other ethical professionals are allowed to undertake their operations without following any professional guidelines. This makes it difficult to ensure that these professionals are accountable for their activities.
Jamil & Khan (2011) presented a new perspective in this matter of trusting ethical hacking by questioning whether giving this kind of authority is trusting the potential enemy. The researchers stated that the technological aspects in organizations are growing rapidly such that all data will be made electronic. Thus, ethical hackers can and may use their ability to attempt and avoid paying for items by just manipulation systems. They could use their power to aid themselves without being caught at the expense of others. It is possible for any ethical hacker to eb a black hat if they choose to (Jamil & Khan, 2011). Therefore, the concern will still remain when these skilled professionals could use their abilities at the expense of the other party. Organizations are evidently putting too much trust in a potential enemy who could find the systems’ vulnerabilities and attack the organizations. Furthermore, if these organizations fail to ascertain whether these ethical hackers have been professional, do they accept liability for any adverse effects that could occur after the penetration tests were done and the systems were deemed to be protected fully. This shows a regulatory gap that is yet to be provided where an unified regulatory approach could provide guidelines to such concerns.
Alsubaie (n.d.) went on to discuss the elements that are required for the unified and mandatory ethical code of conduct for ethical hackers. By citing various literatures, the research asserted that the need for this kind of code of professional conduct will always exist as long as the ethical hacking professionals are working with multinational firm systems that are operating in different jurisdictions. These organizations need to affirm that their systems do have the highest security levels regardless of how strict or lenient the regulatory jurisdictions are. Thus, the unified code will ensure that every professional is abiding by the professional code of conduct. An important factor that should be considered in the development is that the process should be both strict and accessible for every ethical hacking professional globally. Georg et al. (2019) would also assert that there is a need for a regulatory approach to ethical hacking which includes requirements such as the uniform code of ethics. Nevertheless, it is important to note that the approach will have its challenges specifically in relation to jurisdiction testing. Similar to law and medical licensing, it is necessary that there should be a bridging or the multi-jurisdictional licensing options that will ensure that each professional remains compliant to the professional code and also the laws for their particular countries.
One important thing that should be acknowledged when insisting on the importance of the uniform and mandatory code of professional conduct should be the fact that the penetration testing done by ethical hacking professionals is an extensively technical and complex field (Georg et al., 2018).
Table 2: The Tests Carried Out By the Ethical Hackers
Figure 5: The Compulsory Skills that Ethical Hackers Should Have.
These ethical hackers need deep understanding of numerous areas and are not limited to software, hardware, networking and also human behaviors (Engebretson, 2013). The knowledge needed for one to be considered to be a highly effective hacker is so extensive that it can be very difficult to evaluate how effective the ethical hackers actually are. The client will simply traust that the ethical hacker will professionally carry out their activities while prioritizing the client’s interest. This kind of trust is however very risky since the real world has shown that one cannot trust everybody. Thus, with many organizations not being able to assess the effectiveness of ethical hacking professionals. There is also the need for them to find a way in which their performance can be assessed and monitored (Thomas et al., 2019). There is a possibility of the clients to carry out higher level forms of phishing attacks against the ethical hackers. These evaluations will ascertain whether the professionals will be finding what they should and will ensure that they are responding accordingly to the knowledge they seemed to have obtained during the attack.
Alsubaie, S. M. (2011). Issues of Implied Trust in Ethical Hacking
Engebretson, P. (2013). The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Elsevier.
Georg, T., Oliver, B., & Gregory, L. (2018). Issues of implied trust in ethical hacking. The ORBIT Journal, 2(1), 1-19.
Jamil, D., & Khan, M. N. A. (2011). Is ethical hacking ethical?. International Journal of Engineering Science and Technology, 3(5), 3-758.
Thomas, G., Burmeister, O., & Low, G. (2019). The Importance of Ethical Conduct by Penetration Testers in the Age of Breach Disclosure Laws. Australasian Journal of Information Systems, 23.
Yaacoub, J. P. A., Noura, H. N., Salman, O., & Chehab, A. (2021). A Survey on Ethical Hacking: Issues and Challenges. arXiv preprint arXiv:2103.15072.