Virtuous human hacking: The ethics of social engineering in penetration-testing

Hatfield, Joseph M.

doi:10.1016/j.cose.2019.02.012

Cited by 39 publications

(29 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…If, as a result of applying methods of influence, a social engineer has gained access to confidential information, the analogue of which is publicly available, but using manipulating models of human behavior and is caused damage, his actions are illegal. However, if the damage did not cause, the actions of the social engineer do not violate the law, although it blame for non-compliance with ethics [15]. In a situation where a social engineer obtained (or made an attempt to obtain) access to confidential information, even without using it and not causing damage by his actions, the actions are unlawful due to the impact applied to the object [16].…”

Section: Resultsmentioning

confidence: 99%

Social engineering in the context of ensuring information security

et al. 2019

View full text Add to dashboard Cite

The paper presents the main key features of social engineering and a social engineer activity. Emphasis is placed on the study of social engineering techniques in the system of human-machine interaction used to implement the illegal (malicious) manipulation of human behavior patterns. The matrix of social engineering qualification criteria and the map of information security risks caused by social engineer actions were built. IntroductionThe practice of human-machine interaction (HMI) makes increasingly high demands on the level of information security. This process is like an eternal dispute -what is stronger, a sword or a shield. The evolution of information protection methods reflects the evolution of unauthorized data access methods [1]. Nowadays people are actively embedding computers in their environment; they are trying to make the computer more "human", the level of computer dependence on the outside world also increases with the development of networks [2,3]. On the other hand, the human factor continues to be the least controlled element of HMI [4], which, in turn, according to the modern information and communication technologies development creates not only new opportunities, but also new risks [5]. As a result, the number of information security [6] vulnerability factors increases. Someday, a computer will learn how to evaluate human behavior [7,8] and make decisions based on the results of cognitive processes analysis, considering the value and semantic aspects of personality behavior. Consequently, we are waiting for a new evolutionary leap in the confrontation of "sword and shield". But, so long as a person is only understandable by the other person, the social engineering knowledge will be in demand [9]. qualitative terms of "probability" and "impact" on the risk object dispersed in an ascending order.

show abstract

Section: Resultsmentioning

confidence: 99%

Social engineering in the context of ensuring information security

et al. 2019

View full text Add to dashboard Cite

show abstract

“…The moral and ethical positioning of white and black hat hackers provides an additional opportunity to highlight the dualistic nature of the application of knowledge. Black and white hat hackers are distinguished by the purpose of their hacking activity and whether consent has been provided (Hatfield, 2019); however, both start with the same potential aim to compromise a system and gain entry. White hat hacking is generally viewed as ethically motivated with the aim of identifying vulnerabilities in the security of a system and occurs when consent is given., e.g.…”

Section: Information Landscapes Desire Lines and Dark Knowledgementioning

confidence: 99%

“…penetration testing used in the banking industry to identify potential weaknesses in the network. Black hats represent the binary of this classification representing the unlawful entry of networks with malicious intent, and/theft of information or financial gain (Hatfield, 2019). Both categories of hackers will develop the same knowledge (about breaching networks, etc); however, the application of the knowledge will differ.…”

Section: Information Landscapes Desire Lines and Dark Knowledgementioning

confidence: 99%

Hidden and forbidden: conceptualising Dark Knowledge

Burnett

Lloyd

2020

View full text Add to dashboard Cite

PurposeThe purpose of this paper is to introduce the concept of Dark Knowledge, an epistemology that acknowledges both alternative knowledge and ways of knowing which are cognizant of the moral and ethical positioning of each.Design/methodology/approachThis is a conceptual paper that uses existing relevant literature to develop the work. The paper uses a four-stage literature search process and draws upon a range of disciplines, including philosophy, computer science and information management, to underpin the evolution of the concept.FindingsAs a conceptual paper, no empirical findings are presented. Instead, the paper presents an embryonic model of Dark Knowledge and identifies a number of characteristics, which may be used to explore the concept in more detail.Research limitations/implicationsThere is a clear need to develop a body of empirical work, adding to the theoretical perspectives presented in this paper. It is anticipated that this paper will provide one of the cornerstones for future studies in this area.Originality/valueThe paper makes an original contribution to the study of information behaviours, practices and epistemology.

show abstract

“…These interactions are problematic for both parties, client and service provider, and the ethics of social engineering are quite involving (Hatfield 2019). In contrast to searching for bugs in software, social engineering uncovers unprofessional behaviour in humans.…”

Section: Executionmentioning

confidence: 99%

Best Practices and Recommendations for Cybersecurity Service Providers

Кириченко

Christen²,

Grunow³

et al. 2020

The International Library of Ethics, Law and Technology

View full text Add to dashboard Cite

This chapter outlines some concrete best practices and recommendations for cybersecurity service providers, with a focus on data sharing, data protection and penetration testing. Based on a brief outline of dilemmas that cybersecurity service providers may experience in their daily operations, it discusses data handling policies and practices of cybersecurity vendors along the following five topics: customer data handling; information about breaches; threat intelligence; vulnerability-related information; and data involved when collaborating with peers, CERTs, cybersecurity research groups, etc. There is, furthermore, a discussion of specific issues of penetration testing such as customer recruitment and execution as well as the supervision and governance of penetration testing. The chapter closes with some general recommendations regarding improving the ethical decisionmaking procedures of private cybersecurity service providers.

show abstract

Virtuous human hacking: The ethics of social engineering in penetration-testing

Cited by 39 publications

References 17 publications

Social engineering in the context of ensuring information security

Social engineering in the context of ensuring information security

Hidden and forbidden: conceptualising Dark Knowledge

Best Practices and Recommendations for Cybersecurity Service Providers

Contact Info

Product

Resources

About