Ethical Hacking

Learning outcomes:

  • Articulate some basic ethical considerations relating to Security
  • Discuss some common ethical considerations and current topics in Cybersecurity

Would you like to download my PowerPoint to follow along?

  • What is Ethics?
    • According to the Oxford English Dictionary, Ethics is "moral principles that govern a person's behavior or the conducting of an activity."
    • Dr. Ian Malcolm, played by Jeff Goldblum, as he declared, “Your scientists were so preoccupied with whether they could, they didn't stop to think if they should.”​
  • Why do we talk about Ethics in Computer Security?
    • Ethics is not the law
    • Most people that make the laws, seriously lack technical expertise
    • Technology and cybersecurity are a huge part of our everyday lives now. Technology was created by humans, and therefore will have a bias, technology isn't neutral.
    • A select few can have a huge impact on many people, if people don't design and protect systems with ethics in mind we widen already unfair social arrangements.
  • Selection of Common Ethical Challenges in Computer Security
    • Who can test for safety? If you are creating a medical device, say an insulin pump, what testing should happen? Who should do that testing? Is it required? How much money is "too much" for testing? An open source Insulin pump
    • Equifax, why your credit score matters and who is in charge of it. What your credit score is used for whether you know it or not. Private companies vs Governments, and how security breaches can happen to very sensative data, and what the consequences are Spoiler: More profits for the company
    • Data disclosure, If you work in IT you're likely to see sensitive data such as emails, proprietary information, and personal devices. Think about Edward Snowden and the situation he was in.
  • Best Practices
    • Ethics and Laws are not the same, laws change slowly, just because you can do something, doesn't mean you should.
    • Keep in mind everything has a cost, and there could be lives at risk
    • Just because you have ethics, doesn't mean everyone does, keep in mind that when you make something and make it public, anyone can use it, there is no test of morals to get on the internet.
    • Think about how information is shared, does this information need to be collected? What's the worst case scenario if it's lost/taken/shared?
    • Think about others, other people, other situations, and remember not everyone has all your privileges.

Suggested Activities and Discussion Topics:

  • Vulnerability disclosure, how and when should researchers disclose vulnerabilities to companies?
    • Should governments be forced to disclose vulnerabilities they've found?
    • What responsibilities should the companies have after the disclose has been made?
    • On a similar note, should researchers be forced to disclose their names and locations when they send in bugs? or is there any reasonable expectation of anonymity?
  • Resource allocation: if a non-profit can afford to make a medical device (pacemaker, insulin pump) but they don't have budget for a security professional should they still make the device? What if they are sharing it with low income people who couldn't afford one otherwise but they want wi-fi included?
  • Automated vulnerability testing: should researchers be allowed to do automated vulnerability testing? Does it make a difference if it's more or less invasive? What about when the system isn't reasonably security (small business, hospital, education etc)? What precautions should be taken to make this better?
  • CISO and personal risk: should CISOs (Chief Information Security Officers) take personal responsibility for companies that are breeched or hacked? As in, should a CISO go to jail for security negligence? Should they be fired if a breech/hack happens? How does corporate organizational deficiencies (Not following the outlined procedures, not documenting, not following best practices, etc) affect this?
  • Voting: should we have Electronic voting? Vote by app? Vote by mail? Electronic booths you have to go to in person? How are each of those secured and taken care of (updates and also watched when it's not voting time?)
  • Farming: Should farmers be able to service their own tractors? If they break them are they still under warrantee? What obligations does a company have to make the products easy to service vs secure? What is the line between company profits and ethics?
  • Device data: Many things have Wi-Fi and cameras now such as dolls and vacuums, at what point should we be worried about recordings or pictures being taken? What is considered "private" now? What expectations of privacy do you have in your home?

Resources

Would you like to see some more classes? Click here