Whilst I assert ethics are subjective and can often lead to misguided notions of what is ethical hacking (IE, some audiences believe that hacking coal mines in the name of the environment is ethical) I wanted to put together an article providing guidance on if not ethical, then certainly legal considerations during penetration tests and even research activities.
This was an important thing for me to stitch together; I’m seeing a lot of poor behaviour that we need to call out as well as things that we’ve appreciated over the past few years of delivery. Two areas concern us around ethics: misrepresentation of skill to customers and outright disregarding laws for the sake of a social media presence and sensationalism.
Representing the organisation and employees appropriately
The most disingenuous activity I keep seeing in the cybersecurity community has been the claims of “ we provide 100% security solutions” even though the firm fails to employ the 2 factor auth solution they sell, or claims such as “I have a 100% success rate in penetration testing” and “I’ve hacking when I was 14” whilst at the same time failing to secure their personal website from cross site scripting. I use the word disingenuous largely because it shows no empathy with the customer for whom you are seeking trust, or an overstatement of skills which will often fall short from the claim, thereby undermining trust even further.
A recent case of this has to do with a new entrant into the market. Not 18 months ago, the organisations site on archive.org indicated that the firm was an IT Support team that today claims they are a cyber security thought leader of 20 years experience. To amplify this, said organisation also had directory indexing still turned on and basic security misconfigurations that were also captured by archive.org. Another factor I’ll throw into this is do not think that your absence of history is a weakness; one of the humbler cybersecurity consultants in the industry is in this space because their organisation got compromised 10 years ago. The fact that they can admit to this and let others learn from their mistakes provides greater value than misdirected claims of superiority.
In short, if you’re going to claim a high ground of ethics, or doing good, ensure this is consistent with your messaging.
Understand local laws (NSW Focus)
There are an array of laws and regulations to consider when conducting testing, but there are two I think that are important to focus on within NSW:
- The Workplace Surveillance Act 2005 (NSW)
- The Surveillance Devices Act 2007 (NSW)
These two specifically come up following not only legal contract updates we undertook as part of CREST recertification but also discussion with stakeholders related to law enforcement.
The Workplace Surveillance Act 2005 (NSW) requires the following:
- 14 days notice to employees before the surveillance commences
- Camera surveillance must be clearly visible (IE, this place is monitored by cameras) and the cameras are not covert
- With specific reference to network traffic capture, a policy must exist for computer surveillance
- Covert surveillance requires authorisation by a covert surveillance authority. However there is a defence noting that such surveillance is “for the purpose of ensuring the security of the workplace or persons in it and that surveillance of any employee was extrinsic to that purpose”. Our own internal analysis suggests that penetration testing does not fall into the requirement of ensuring the security of the workplace, and therefore executing surveillance to prove that it is possible is overkill relative to the intent of a penetration test exercise.
- Additionally, the surveillance of persons, that is any activity carried out by a person on behalf of a second person (not being his or her employer), being an activity that involves the surveillance of a third person. Requires Licensing under Commercial Agents and Private Inquiry Agents Act 2004 (NSW) and therefore any physical security activity should ideally be performed by an individual licensed by such an organisation.
Realistically, these are things that should be checked prior to conducting an internal penetration test, and definitely checked before a physical assessment. Of particular note, we are now looking to check before internal penetration testing the presence of an “IT resource & acceptable use policy” as well as a statement that employees understand they’re being monitored, either in login screens or employment agreements.
the Surveillance Devices Act 2007 (NSW) goes even further on some physical security considerations, including:
- A person must not knowingly install, use or maintain a data surveillance device on or in premises to record or monitor the input of information into, or the output of information from, a computer on the premises if the installation, use or maintenance of the device involves interference with the computer or a computer network on the premises without the express or implied consent of the person having lawful possession or lawful control of the computer or computer network.
- Any recordings by a surveillance device made must have the consent of all participants before they can be published.
So, the aggressive use of audio listening devices, recording with your iPhone, or employing any gucci equipment you’ve purchased from alibaba or cybersecurity tool resellers , should not be used on any “elite extreme red team” engagements that you’ve just sold, unless you’ve genuinely taken the time to plan and prepare from a liability and legal standpoint, and also taken appropriate control measures to ensure that you comply with the above legislation, as well as have taken appropriate measures to minimise psychological harm to staff.
Additionally, there must be a legitimate purpose related to the employment of the employees or the business activities or functions of the employer, and the disclosure of any recordings is heavily regulated. This means that taking any content you’ve generated during your “elite pentest” shouldn’t be published on your youtube research channel, in sample reports, or through mainstream media who’ve elected to push entertainment and drama stories over educational stories.
How we manage this as an industry
Some of this can be mitigated by qualifying beforehand that effective governance is in place (IE Acceptable use policy and workplace monitoring policies), and demonstrating compliance with a security program (including CREST) will also go a long way. A 4 hour online pentesting course with 125 vague multiple choice questions or your social media presence highlighting your cybersecurity expertise does not excuse poor behaviour.
Funnily enough, to support these activities Mercury recently partnered with a physical security provider to ensure that we are not only covered from a liability standpoint, but that we can provide subject matter expertise to our physical engagements.
If we don’t manage this
Reality is no one is yet to be penalised for carrying on like a cowboy however, in NSW the legislation specifies individual penalties can include prison time and be in the tens of thousands of dollars. Additionally, there was several years ago discussion about forced licensing of IT personnel and cyber security; the Federal government already uses NV1 security clearances as a means for this, however aggressive behaviour executed by individuals that have not been indoctrinated into ethical behaviour may see the introduction of regulation. My greatest concern is the presence of a sociopath in our industry who triggers an employee to suicide because the world has to know how awesome a cyber security expert, sociopath and social media influencer they are; Jacintha Saldanhas suicide in the UK following the exploits of media personalities is an indicator of what may happen if the wrong approach is taken.
If there isn’t an effective, mature and industry wide approach to self regulation (including leveraging qualifications and rigorous certification from industry bodies), I dare say we’ll be proceeding down the path of a new bureaucracy to manage cyber security consultants, complete with redundant paper forms, a body of public servants that “don’t know how to computer”, and the requirement to scan and submit all personally identifiable information and financial history into an unsecured S3 bucket.