4 Ethics of the Security Profession To become a proficient security professional

Question

4 Ethics of the Security Profession

To become a proficient security professional, you need to be able to think like "the bad guys" in order to protect your systems from attack. But this raises an ethical dilemma. What do you do with the information you know? Do you don the "white hat"? Or the "black hat"? You've been learning, in essence, how to attack systems in order to verify and validate them, to protect against attack. But what if you're faced with the opportunity to hack? Even if it's for a positive reason, is it ethical?

For this Discussion, act in the role of a security consultant. Usually, you are asked to come into a company to assess the security of one or more applications, and provide recommendations about how their applications can be improved. However, this job is different: The chairman of the board of directors approaches you because he has a problem. Several of his competitors have been hacked recently, and confidential customer data has been released. He wants to make sure that his web applications are safe. To make matters worse, he worries that there may be a problem inside his organization, and he doesn't want to tip anyone off.

Because of the sensitivity of the project, the president refuses to allow you to contact the authorities or anyone within the company about your intentions, potentially putting you at risk for criminal charges.

In your post, consider the following:

Explanation / Answer

In support to the statement, to become a proficient security professional, you need to be able to think like "the bad guys" in order to protect your systems from attack. That is the best way to figure out the loopholes in tha system. But it makes it ethical only if the information gathered during hacking is not disclosed or used by the security expert in any form. The intension of the security professional should be entirely to acess the threats and find means to fix them. The security professional should present a well documented detail of the threats and loopholes and how they are fixed. Yes, I would definitely take up the job. Hacking into a system only to check its vulnerabilities and providing with the necessary patches are ethical and cannot be considered illegal. The first step to this approach would be to check for all the loop holes( in most cases, open ports) and document them. the second step would be provide security patches so that the vulnerabilities can be overcome and updating the details in the documentation. The final step would be presenting the detailed report to the authority head so that they can acknowledge the security enhancements. This would reduce the risk of any criminal charges in future. In order to avoid criminal procecution, it would be ideal for the security professional to provide detailed documentation of the various activities carried out and the enhancements made accordingly. One copy documentation should be presented to the authority head who hired you for this task and another copy should be kept with onself which can be produced in the court if any legal issue comes up.

Related Questions

Navigate

• Browse (All)
• Browse 4
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.