When it comes to enterprise security and tackling cyber and network threats, are today’s businesses and IT professional required to “think like a hacker,” compromising a measure of morality and ethics in the process? This was the provocative issue at hand during an industry keynote panel during last week’s SecTor security conference event in Toronto.
The keynote panel Crossing the Line, Career Building in the IT Industry served up some interesting insights into the legal, ethical and moral quandaries IT security pros face in minimizing cyber security risks across the network and enterprise as a whole. Developing a successful IT security bulwark often revolves around understanding how malware hackers operate by engaging in “ethical hacking” — but how far should IT professionals go to accomplish this was the main sticking point of contention amongst the panel.
As panelist James Arlen pointed out, there are “rubbery” or blurred lines when it comes to navigating the legal and ethical boundaries around cyber security — compounded by the fact that the goalposts continue to shift over time.
The senior security consultant at Hamilton, ON-based Leviathan Security Group pointed out that IT security professionals actually need to think like a hacker to understand security weak points and vulnerabilities and how to effectively stop them.
“Do No Harm” from an IT security POV?
Panelist and security and VOIP consultant Leigh Honeywell offered that while there are not easy answers, it’s almost like adopting a cyber “Hippocratic Oath” in swearing to practice IT security in a completely ethical manner.
Taking a “devil’s advocate” approach for the purpose of the panel, Brian Bourne, co-founder of Toronto-based security user group TASK agreed. While offering that it’s a contentious issue and a grey area from a moral and ethical standpoint, he pointed out that since hacking and online mischief is pretty much how all the great hackers have historically done it — including someone like Apple co-founder Steve Wozniak who’s admitted on record about his light-hearted forays into hacking computer and telecommunications networks in his college days — and have often widely done so without causing any major damages. Gaining this real world experience, Bourne noted, is likely a good way for the average IT security professional to stay ahead of the curve in terms of building out security protections that minimized security threats in the enterprise.
But “self-proclaimed geek” Gord Taylor, a senior security specialist for “a major bank,” pointed out that the BBS era has long past, and given all the technology and network advances today, there is hardly any excuse for emerging security professionals to engage in such online or network shenanigans to bone up on cyber security attack trends.
“I can’t say I ever crossed those moral or legal lines. But I certainly looked at them and pontificated on whether I should cross that line,” said Taylor.
Probe your network like a hacker
Panelists were in consensus that to effectively managed the security environment, looking at it the way a malware hacker might – understanding how data flows on the network to track security exploits and abnormal traffic – can help to see the network from a more strategic perspective and quickly develop countermeasures.
Taylor added that becoming a solid IT security professional in the modern era involves learning from peers, classroom training and reading industry news and case studies; from a hands-on perspective, setting up a test servers to hack can accomplish the same thing without crossing any grey moral or legal lines.
“We have YouTube; Wozniak didn’t have YouTube. We have those (tools) where we can learn this stuff for free — you don’t have to cross those lines.” Trusting your own moral and ethical compass is often the best way to determine where those lines actually are, Taylor added.
Arlen countered that things aren’t always so black and white in today’s world, and governing laws might not always be up to the task in handling the ever-shifted security concerns and threats.
All panelists agreed that while IT security professional should always hold themselves to a high standard of conduct, and there is an element of discretion and judgment involved in determining where the ethical and moral lines are in shoring up the security environment. In fact, a survey of SecTor attendees found that 52 per cent noted that skills development and expertise can be developed on the job inside working hours and rules, with 27 per cent reporting that “developing expertise has to be done online and crossing the odd legal boundary, but no ethical boundaries (such as responsible disclosure) need be crossed.”
Taylor noted it’s about making the sound decision to “do no harm” and not cross that line in protecting any IT security environment: “Wozniak crossed those lines but that was a different era, almost 40 years ago. It’s a very different landscape.”
Get even more education about the threats affecting the network by downloading The Internet Security eBook: A Self-Assessment Guide.
Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net