Breaking Rules the Right Way: Regulations for Ethical Hacking

Ethical hackers play a critical role in organizational infosec: it’s their job to both evaluate and infiltrate key systems to help businesses identify and address potential security weak points.

This effort puts ethical hackers in a legal grey area:

• What rules and regulations (if any) apply to approved attacker efforts within enterprise networks?
• How do they steer clear of potential pitfalls and ensure their work is always on the up-and-up?

Here’s what you need to know about breaking the rules — the right way.

Ethical advantages

The goal of an ethical hacker is simple: attack and infiltrate company networks before malicious actors have the chance. By identifying key network, software and hardware vulnerabilities, ethical hackers help organizations identify potential weaknesses, design better defenses, and deploy improved risk mitigation strategies.

As noted by the U.S. Bureau of Labor Statistics, there’s an increasing demand for trained and truthful hackers. Over the next eight years, the agency predicts “much faster than average” job growth with a 32% increase in available positions. As malicious actors leverage everything from advanced, fileless malware techniques to open-source vulnerabilities and old-school phishing attacks, it makes sense that enterprises need experienced, ethical hackers to help shore up key defenses.

Ethical hackers are now essential to securing new technology systems, such as the Internet of Things (IoT). According to the FDA, for example, white-hat hackers helped uncover critical issues with connected heart monitors that made it possible for attackers to control these devices and change implant settings remotely.

But given the natural grey area occupied by ethical hackers, how do IT professionals — and organizations — ensure adequate security even as they compromise vital systems?

Hats off to hackers

When it comes to breaking rules in the right way, three components are critical:

• Intention
• Certification
• Regulation

As a result, it’s worth examining the three common classes — or “hats” — of hackers and how they impact IT outcomes:

1. Black Hat — these hackers are the stereotypical “bad guys” — they compromise and infiltrate systems to cause harm or steal data. Black hat hackers may steal and exfiltrate information, install ransomware and demand payment, or damage key systems. These attackers may operate alone or in groups and obey no regulatory codes

2. Grey Hat — this hacker often has good intentions but operates outside the legal frameworks that govern IT security. They may use common vulnerabilities or free hacking tools to compromise enterprise systems or software and then warn designers and developers that flaws exist

3. White Hat — these hackers operate with the express permission of enterprises. In some cases, they’re directly employed by companies; in others, they operate as contractors or part of third-party services. They may perform penetration tests or “red team” exercises designed to infiltrate systems and report their findings actively. White hat hackers combine intention and regulation to enhance IT security

Essential education

While any IT professional can assume the role of white hat hacker with corporate permission, many organizations are now looking for staff with specific certifications that speak to their attack acumen and security skillset. Popular qualifications include:

• Certified Ethical Hacker (CEH) — this EC-Council certification evaluates the ability of IT professionals to identify, address, and remediate key security concerns

• Global Information Assurance Certification (GIAC) — managed by the SANS Institute, the GIAC program offers a variety of ethical hacking-focused qualifications such as the GIAC Penetration Tester certification

• Offensive Security Certified Professional (OSCP) — designed for experienced IT professionals; this highly technical certification focuses on active system hacking that demonstrates a clear understanding of the penetration testing process

Laws and order

Because ethical hackers exist at the intersection of cybersecurity and system compromise, frameworks have been developed to define key roles and describe essential obligations. These rules fall into three broad categories:

• Government regulations — legislation varies by location — for example, the California Consumer Privacy Act (CCPA) governs the corporate collection, storage, and transmission of consumer data. This means ethical hackers must take care not to expose or compromise this data while evaluating enterprise systems. The federal Computer Fraud and Abuse Act (CFAA), meanwhile, defines specific penalties for “accessing a computer and obtaining information” or “negligently causing damage and loss by intentional access.” As a result, it’s critical for ethical hackers to ensure all corporate hacking plans come with supporting documentation to prevent potential prosecution.

• Enterprise expectations — ethical hacking requires detailed documentation to ensure companies get the results they’re looking for, and IT professionals have clearly-defined boundaries. For example, enterprises may want specific systems or software tested, and others left alone — clear expectations combined with written direction ensures ethical actors and enterprises are on the same page. And this helps avoid potential problems after contracts are concluded, or IT professionals leave for another opportunity.​

• Professional obligations — white hat hackers are also governed by professional obligations laid out by certification-granting bodies. For example, the EC-Council’s code of ethics comes with specific direction for IT pros, including:
  • Protection of intellectual property
  • Disclosure of potential damage or harm to affected parties
  • Use of IT property and networks only as authorized
  • Prioritizing ethical conduct and professional care

Failure to comply with these ethical obligations will result in the loss of ethical hacking certifications.