Social hacking skills - Soft skills of ethical hackers

This is a discussion of the social hacking skills of ethical hackers – the “soft skills” or “ethics skills” needed to accompany the technical hacking skills when teaching higher education students ethical hacking of computer systems. The discussion is based on work I completed in a uOttawa PhD thesis (2020) on the topic of ethical hacking sociotechnology.

The case for ethics instruction
Social hacking skills – What ethics to teach
Social engineering in ethical hacking
Karl Weick – sensemaking through organizing
Canada’s cybersecurity threat landscape
Social digitization
Technology impact assessment (using STEI-DMG)

You may also be interested in OSINT analyst competency areas.

The case for ethics instruction

Pike (2013) is concerned whether college students of information security receive the necessary training to responsibly use hacking skills learned in college—that is, whether the academic training provides them with an environment where they gain the necessary experience and skills applying ethical principles. Literature research “revealed little guidance in preparing students to responsibly use hacking skills learned in college.” It is not clear “that academic training environments provide students with an environment where they gain experience applying ethical practices” (Pike, 2013, p. 69). It is not clear students are receiving the necessary training to ensure that hacking skills and knowledge gained are not misused. Logan and Clarkson (2005) argue that computer science departments in higher education have been increasingly including information security content–hacking tools, methods, and other types of security testing and management skills “without much discussion of the potential for misuse or abuse by students” (p. 157). “Universities should never assume that students learn ethical behavior, the laws on illegal network/computer access, outside (or before) their time at the university” (Logan & Clarkson, 2005, p. 160).

Pashel (2006) explored the ethics of teaching students how to hack at the university level and ways university computer security programs can help prevent the misuse of knowledge and skills gained in higher education. Overall, “instruction in ethical hacking would be a useful and critical component of computer security programs at universities” (p. 200). Given “the proper training in ethics and law, students who learn traditionally illegal computer skills in the course of studying computer security will use those skills for the greater good far more often than they will use them illegally and immorally” (p. 199). The key to effectively teaching students how to hack is in teaching them the ethical and legal implications of their skill, as well as the ramifications of misusing their skill (Pashel, 2006). “At present, few computing students are required to take ethics and law classes. It is unrealistic to expect these students to understand the full ramifications of their potentially illegal behavior if they are not schooled in these areas” (Pashel, 2006, p. 199). Students may not know clearly what is considered illegal. Students may not understand the ethical and social consequences of hacking. Universities “cannot assume that students are inherently ethical or knowledgeable and the likelihood that a student will use his newly acquired skills to commit a malevolent act will likely decrease dramatically when required to take computer ethics and law courses” (Pashel, 2006, p. 199).

Logan and Clarkson (2005) reviewed major requirements from the websites of the institutions listed on the National Security Administration website as Centers of Academic Excellence (CAE) in Information Assurance to determine whether universities required their computer science students to take a course in ethics and computer law. The NSA 2004 lists 59 universities that offer majors and have courses in information security to undergraduate and graduate levels. The analysis finds that 66% of them do not require undergraduate students to study ethical and/or legal issues as part of a degree program and 95% of all such institutions with graduate studies programs do not require ethics courses. “It is evident from these percentages that formal instruction in ethical and/or legal issues of computing is not a universal priority in CS curricula even in those institutions with a focus on security” (p. 160). Logan & Clarkson (2005) examined the syllabi for a variety of courses in security at CAEs and found that ethics about the use of computer facilities was not generally covered while unethical behaviour concerning cheating was fully explained in every syllabus.

Young et al. (2007) focused on the perceptions of active hackers recruited during a DefCon conference in Las Vegas about possible influence of social pressures as well as legal measures aimed at information security on their behaviour. Perception measures included moral disengagement, informal sanction, punishment severity, punishment certainty, and utility value. Moral disengagement refers to the cognitive processes that justify deviant conduct. Informal sanctions are reactions by others to the deviant behaviour of an individual. Punishment severity is the impact on an individual as a result of being publicly discovered engaging in an illegal or immoral act (e.g. prison time). Punishment certainty measures an individuals’ perception of the probability of being caught. A utility value perspective proposes that given a choice between two or more courses of action “a hacker will make a choice based on which provides the greatest level of gratification after consideration of the risks associated with the choices” (p. 283). The action of most interest was the decision to engage or not engage in illegal hacking. Previous research has shown that severity of punishment has little or no effect when the likelihood of punishment is low. Although punishment for hacking is severe, hackers may believe the chances of being caught are low. Data was collected through handout surveys distributed to participants. The majority of the attendees were self-proclaimed hackers or people who have interest in hacking activities. Participation in the study was strictly voluntary. During the 3-day conference, 127 people filled out the survey. When asked if they had “participated in a hacking activity that would be considered outside the bound of that allowed by the courts system in the last year, 54 individuals (42.5%) answered yes” (Young et al., 2007, p. 283). The researchers regarded only the responses from the 54 respondents for the analysis. The respondents were asked to rate statements measuring the five dimensions of perception that are relevant to views on hacking.

The results of the study show that when compared to other attendees and the student population, hackers have a statistically significant higher level of moral disengagement. Hackers perceive that hacking is acceptable as long as no damage is done. Further, they believe hacking can help companies improve their defenses. Results suggest that hackers perceive a statistically significant lower level of informal sanctions against hacking; and that hackers perceive a statistically significant lower likelihood of getting caught. Further, while hackers and other conference attendees perceived the consequences of being caught engaging in illegal hacking activity as severe, students’ perception of punishment severity was significantly lower than hackers and other conference attendee population. This is a noteworthy finding in light of the visual confirmation of the age group of the conference participants (hackers are mostly 12–28 years old). The overall results suggest that investments, tools and techniques that improve detection of security breaches and prosecution of hackers “may be more effective than increasing punishment and enacting more laws” (Young et al., 2007, p. 286).

Xu et al. (2013) studied how computer hacking emerges in young people, why talented computer students become hackers, and how gray hats become black hats so as to “help schools, universities, and society develop better policies and programs for addressing the phenomenon” (p. 65). Interviews with six known computer hackers in China addressed two main questions: How do hackers get started? and How and why do they evolve from innocent behaviour (such as curious exploration of school computer systems) to criminal acts (such as stealing intellectual property)? Three key insights emerged from the study. Firstly, computer hackers start out often as talented students, curious, exploratory, respected, and, importantly, fascinated by computers–not as delinquents or as social outcasts. “Our subjects indicated that many college students were involved in computer hacking, though only a small number ever become hackers who commit crimes using their skills, in college or after graduation. Most will find jobs in top-tier IT companies and information-security firms” (p. 70). There is “no guarantee our subjects, as students or as future employees, would not continue to use their increasingly sophisticated hacking skills to do harm.” The primary constraining factor “seems to be their moral values and judgment about hacking” (p. 70). Secondly, “porous security, tolerance by teachers and school administrators, and association with like-minded individuals make for fertile ground in transforming young talents into hackers.” Eliminating tolerance and “strengthening moral-value constraint appear to be the only manageable options in resisting hacking today” (pp. 73-74). Thirdly, moral values and judgment seem to be the only reliable differentiator between grey hats and black hats.

Social hacking skills – What ethics to teach

Countermeasures component

Prevention component: ethical-legal consequences

Ethical hacking curricula should include the ethical-legal consequences of misusing hacking skills learned in university as a prevention component integrated with the technical instruction. Presently few computing students are required to study the ethical-legal consequences of misusing the hacking skills learned in college (Logan & Clarkson, 2005; Pashel, 2006). Interviewed university experts on ethical hacking said they teach ethics in an integrated way, that is, technical instruction is contextualized with the ethical-legal dimensions/consequences of misusing the skills. PPT3 says the ethical and legal components are a “key part of the course.”

We talk about a number of legal aspects broadly–liabilities, torts, contracts. In this case, we’re talking mostly liability issues. Liability for leaving open vulnerabilities, and then of course there’s the criminal aspect of, you have to make sure that you’re not doing something that breaches the actual acts, teach about the various Acts that relate to information technology, privacy, security. (PPT3)

For PPT14, ethical hacking instruction entails teaching “the ethical side of it, what permissions you need, never to do this on someone’s products or networks that you don’t have permission for–all the things that if you want to retain the common understanding of ethical, you don’t want to violate.” Hackers “break in without permission. The number one rule has to be, never do this on a live system unless you have written permission from high senior officials” (PPT14). PPT8 says he talks to his computer science class about the potential ethical and legal consequences of misused talent. “I definitely spend at least a lecture talking about it … I tell them … I don’t want to have to come bail you out.” “You need the ethics,” says PPT6, “because this is one industry where it’s two sides of the same sword: ethical hacking, unethical hacking. Often, it’s literally, do I have permission or not?” “I think every course needs ethics in it.”

Ethical hacking should be taught as a comprehensive audit

Hacking skills should be taught as a comprehensive audit using QA/IA/IT governance approaches. “Many hacking books and classes are irresponsible. If these items are really being developed to help out the good guys, they should be developed and structured that way.” For Harris (2007), responsible hacking books should give information about how to break into systems as well as about defence and prevention measures.

This means more than just showing how to exploit a vulnerability. These educational components should show the necessary countermeasures required to fight against these types of attacks, and how to implement preventive measures to help ensure that these vulnerabilities are not exploited. (Harris, 2007, The Controversy of Hacking Books, para. 3).

Universities are incorporating information security curricula at the undergraduate and graduate levels to address a national need for security education. The goals of such programs are “to reduce vulnerability in National Information Infrastructure by promoting higher education in information assurance and security, and to produce a growing number of professionals with information systems security expertise” (Sharma & Sefchek, 2007, p. 290). From the perspective of software security, CS programs should teach students hacking skills as skills in assurance (Radziwill et al., 2015). Students need to learn vulnerability discovery plus information security defense measures as part of a comprehensive audit. Students should be able to “perform vulnerability assessments on the entire spectrum of data assets: Applications, policies, procedures, and physical infrastructure,” but hacking performed on a network “should be part of a larger security audit process designed to reveal vulnerabilities and improve security policies and procedures” (Logan & Clarkson, 2005, p. 158).

The ethics of ethical hackers (professionalism/professional practice in society)

Professional ethics
The social context
Professional ethical hacking is legal
Ethical hackers are trustworthy
Table 10: Professional Ethical Hackers Coding Table

Ethical Hacking High-Level Concepts (3 Levels of Abstraction)

The case for ethics instruction

Social hacking skills – What ethics to teach

Countermeasures component

Prevention component: ethical-legal consequences

Ethical hacking should be taught as a comprehensive audit

Related content

Related Posts