Is ethical hacking legal?
If you take your time, penetrate a company’s network and identify all their security flaws and vulnerabilities, why should they be upset?
Or better put, if during your hacking endeavors you discover that certain users’ accounts or computers have been compromised by a malicious hacker, then you go ahead and inform them… is a lawsuit the best you can get for that?
Well, these and other more questions are what I intent to answer in this post.
Along this article on whether ethical hacking is legal, we’ll also look at:
- type of hackers
- why companies need ethical hackers
- situations when ethical hacking is illegal
But before we answer the question: is ethical hacking legal, it’s important to first understand what ethical hacking is and what it’s not.
Ethical hacking is the process of penetrating an organization or company network or software in order to find security flaws and vulnerabilities with the intention of fixing them and securing the system. Most ethical hackers posses advanced skills in computer programming, operating systems and other server software.
They then use these skills to launch a real cyber attack on a system legally in order to find its weaknesses and fix them.
But computer hacking has gained a bad reputation recently… Let’s found out why by first looking at the three types of hackers.
i. White Hat Hacker
A white hat hacker is anyone who penetrates a network or application in order find its security vulnerabilities and remedy them. They are also known as ethical hackers or penetration testers.
Ethical hacking is completely legal and is one of the highest paid, fastest growing professions in information technology today. Often, an ethical hacker would work as an employee in an organization, a security firm or as an independent security consultant.
ii. Black Hat Hacker
Black hat hacker is anyone who penetrates a network, system or application with an intention to exploit its security flaws and vulnerabilities for malicious ends.
It could be to steal sensitive user information, to alter or destroy data or to simply interrupt its normal operations. Black hat hackers are also simply referred to as hackers, attackers or crackers and is completely illegal and punishable by law. What differentiates ethical hacking from black hat hacking is their intentions.
In fact, I wrote another article where I compare a hacker vs ethical hacker in a more in depth manner and from different angles.
iii. Grey Hat Hacker
A grey hat hacker kind of stands in between an ethical hacker and a malicious hacker…
How? Let me explain. This type of hacker would attack an organization or company system, network or application in order to find its vulnerabilities without any malicious intents. It could be just for the fun of it or just to prove to themselves or satisfy their little ego that they can break into something… or sometimes with the intention of informing the company of the vulnerability later on.
Now, according to the law, breaking into an organization’s system without their permission is illegal. That’s why some of these grey hats get locked up in a lawsuit just after informing the company about the security flaws they detected.
Now that we have established that ethical hacking is legal, the question is? Why is ethical hacking legal? Let’s now look at the 3 reasons why companies need ethical hackers so that they can legally hack them.
1. To identify and remedy security vulnerabilities
Companies and organizations are constantly under attack from unethical hackers who’s main intention is to creation chaos.
This is not to mention the government institutions and authorities that regularly need help breaking into hacking communities and circles when carrying investigations. So the faster and earlier a company can identify and seal all the security loopholes in their system the better.
It is especially true because if an attacker finds these flaws, they’ll exploit them and cause the organization loss in revenue and reputation. In order for an ethical hacker to perform their job, they’ll need complete authorized access to the organization’s system.
The organization or company has to legally grant this access to an ethical hacker because only someone who understands the hacker’s mindset can put him in check.
2. To help in development and quality assurance
How will a company ensure that they are developing software that is safe to use and is of high quality?
In software based companies, software engineers and developers always look up to penetration testers aka ethical hackers for the lead on whether the software is safe enough to use or not. This is implemented by ensuring that thorough software testing practices is carried out during development.
So ethical hacking has to be legal in the first place, for the pentesters to be present in the company building and work together with the development team. It is the only way to ensure software is quality assured before it’s deployed for public use.
3. To assess a company’s security measures and regulatory compliance
With the recent increase in data breaches and theft of sensitive personal information as reported by Norton…
Regulatory bodies have taken a much tougher stance with regards to corporate responsibilities for data breaches. In fact, the regulations specified in the General Data Protection Regulation (GDPR) make these penalties very clear.
This has inspired companies and business to either legally contract information security firms or put together an in house security team composed of brilliant and experienced ethical hackers or penetration testers. An ethical hacker will assess an organization’s security measures, identify what’s working, what needs improvement as well as the measures that don’t serve as enough deterrent to an attacker.
So the organization will be able to implement secure measures that remedy the vulnerabilities that an attacker could exploit to cause a data breach.
It is by preventing a data breach that the ethical hacker helps the company stay in compliance with data protection regulations.
As you can see, companies need ethical hackers more than ever and that’s why ethical hacking is completely legal. Or else businesses or companies would be defenseless against malicious hackers. An organization legally grants you (the ethical hacker) access to their system, network or application.
They then close their ears and eyes and let you attack them using everything you got on you, then show up in the conference room with a detailed report of everything you discovered… in layman language.
Using the right procedure, like I detail in this penetration testing methodology and standards, you’ll be able to identify all the security flaws and loopholes. However, this also means a lot of responsibilities lie on the shoulders of an ethical hacker.
It may lead to a situation where an ethical hacker, has to use grey hat tactics to be able to do their job. For example, I’ll have to employ social engineering to trick an employee to hand me their username and password. I’ll then use these credentials to hack into their account, just to prove I can… but isn’t that illegal? Breaking into someone’s account without their permission?
Well, that brings us back to the elephant in the room…
Is ethical hacking legal? Or better put… When does ethical hacking become illegal? Let’s answer this question by looking at 3 situations when ethical hacking become illegal and could lead to a lawsuit.
a. You expose confidential company information
When answering the question as to whether ethical hacking is legal or not, it is very important to remember that nothing is cast in stone. Once an organization gives you access to their system, you’ll encounter some very sensitive and confidential information.
What do you do with this information?
Remember, nobody else knows what you’ve found yet, and the company staff might not be knowledgeable enough to know what you are even doing either. Exposing this information or sharing it with a third party is illegal and will make the organization that hired you to sue you.
Once you break the confidentiality agreement, you are not protected anymore.
b. You alter, destroy or misuse company data
Another situation when your ethical hacking endeavors become illegal and get you in trouble is when you decide to alter or destroy company data.
If you want to perform ethical hacking legally, once you succeed in breaking in, take a screenshot. Altering any data that might ground the system or compromise its integrity is illegal when performing ethical hacking and could lead to a lawsuit.
You don’t wanna do that. Instead, you want to take a screenshot which you’ll add to your final pentest report showing that… hey I was able to get this far. this shouldn’t happen. fix this.
c. You introduce backdoors into the system for later access
Once you are in, is it legal to create backdoors, only known to you, that you can then use to access the system later?
I must admit that this used to be very tempting for me when I was still new in ethical hacking. It was more of like, can I create a way to trip the entire system from outside if I’m not paid? That was outright stupid. I’m glad I never went ahead with any such thoughts.
But that’s for you to learn. Introducing backdoors into an organization’s system or application is completely illegal… Even if they gave you legal authorization to ethically hack their system and identify vulnerabilities that need to be fixed.
That’s my take on whether ethical hacking is legal or not. Ethical hacking as a profession is completely legal but certain practices of ethical hackers are not as “ethical” and might get you on the wrong side of the law. Unfortunately, there is not ethical hacking “ethics and code of conduct” bible that I know of.
What’s a better way to learn ethical hacking than to learn it from the best… the experienced white hats who know what to do and when? That’s why I wrote this article reviewing the best ethical hacking tutorials online to provide you with the best materials to get you started.
You’ll get to learn how companies like the FBI, CIA and NASA spy on you and how to hack ethically.
As long as there are malicious hackers, there will always be need for ethical hackers.
Companies handle more sensitive personal user information that ever before in the history of civilization and this information must be protected. So ethical hacking has to be legal because it is the only way ethical hackers can help companies put attackers in check.
Because ethical hacking is legal, it attracts some of the most brilliant minds in tech with excellent problem solving skills to come and secure systems.
Think about it…
If ethical hacking was to be illegal, then you’ll scare away all these well meaning information security enthusiasts. It would then be hard for them to obtain sufficient training to stop a malicious hacker right in his tracks. In the meantime, the malicious hackers continue to freely share the best attack vectors, tools and methods in the dark web.
Guess what would happen once every government organization and big tech has been brought to their knees by the attackers? They’ll rush back passing laws legalizing ethical hacking so that the good guys can come back and save the day…
And I’ll be like, no thanks… I moved on.