We propose a dialogue around the role and ethics surrounding the offensive security specialist. Return here to contribute to our project, see the results of our survey and collect resources for ethics vs red teaming!
Below are some thoughts and resources - if you have more, we would love your contributions and please submit them as a pull request!
Whether it be tailgating go get into a building or continuous corporate phishing exercises, what are the ethical boundaries? A lot of us joke or brag about how we are able to con our way into this or that, yet many have also thought about the potential effect we have on our targets.
Throughout countless books on pentesting and social engineering, there is a lot of discussion about legal issues, but rarely the ethics that should surround our profession.
However, there are some people out there that have conducted great research that usually doesn't make it into the books. So far some of the best discussions we have found are in the following paper:
Mouton, Francois & Malan, Mercia & Kimppa, Kai & Venter, H.s. (2015). Necessity for ethics in social engineering research. Computers & Security. 55. 114 - 127. 10.1016/j.cose.2015.09.001. Source 1, Source 2
Much of the same discussion is also summarized in the following conference paper from 2013:
Mouton, Francois & Malan, Mercia & Venter, H.s. (2013). Social Engineering from a Normative Ethics Perspective. 10.1109/ISSA.2013.6641064. Source
A quote that might inspire you to read it:
"Social engineering attacks may have unintended after-effects on the victim. These may be so severe that they may, for example, lead to suicide or other forms of trauma. The ethical concerns related to social engineering attacks, as well as the consequences of such attacks, could well be minimised if the right actions are taken after the attack."
Some examples of the scenarios discussed:
"Is it ethical to exploit a personal weakness of an employee when it is known to be common human nature to fall prey to this type of attack?"
"Is it ethical to report a social engineering penetration test as successful when the incident occurred because the employee was correctly performing his or her duty?"
"Is it ethical to provide the names of employees who were susceptible to penetration tests in a report to an authoritative figure even though this may haveconsequences for the employees?"
If you conduct social engineering in your profession, I strongly encourage you to read at least one of the papers above.
Somewhat building on these papers is the following:
Faily, Shamal & Iacob, Claudia & Field, Sarah. (2016). Ethical Hazards and Safeguards in Penetration Testing. Source
Quote from the paper:
We elicited the following four ethical hazards: these are situations likely to increase the probability of unethical behaviour because of the means, motive, and opportunity to engage in such behaviour (Pendse 2011).
- Legal Ambiguity: The uncertainty associated with addressing unusual forms of illegality when encountered, or dilemmas between following the agreed rules of engagement, or informing law enforcement agencies
- Human Targets: Any testing activities with the potential to jeopardise the career or well-being of test subjects.
- Red Team vs Blue Team: Tensions that arise between testers (red teams) and client IT teams responsible for interacting with them (blue teams).
- Client Indifference: Occurrences where clients are reluctant to make changes prescribed by penetration testers, or downplay the significance of problems found.
These hazards are mitigated by the following three safeguards:
- Risk Articulation: the explanation of security risks, and the impact these have when put in a meaningful context.
- Service Comprehension: the understanding that clients have about the penetration test service they have commissioned.
- Responsibility to Practice: the sense of responsibility that testers have to the penetration testing profession.
Shout out to Sharon Conheady for actually discussing ethics of social engineering in her book:
Social Engineering in IT Security: Tools, Tactics, and Techniques: Testing Tools, Tactics & Techniques Source
Big thanks to all the original researchers and authors in the field that spend time tackling these problems for the rest of us!
REMINDER: Please send more resources via pull requests
https://www.researchgate.net/project/Ethical-Issues-in-Penetration-Testing
https://www.researchgate.net/publication/281968010_Necessity_for_ethics_in_social_engineering_research https://www.researchgate.net/publication/260006052_Social_Engineering_from_a_Normative_Ethics_Perspective https://www.researchgate.net/publication/263588935_Social_Engineering_Attack_Framework
https://jacobian.org/writing/social-engineering-pentests/ https://medium.com/starting-up-security/red-teams-6faa8d95f602
https://opendatasecurity.io/the-most-famous-cases-of-social-engineering/