In their paper on understanding risks associated with hackers/crackers, (Smith, & Rupp 2002) discuss the various types of classification hackers have been placed into by different authors over the years. They distinguish the difference between a hacker and a cracker demonstrating that a hacker generally refers to someone who builds things, while the former has malicious intent to break or cause damage to systems. Hackers also fall into the categories of ethical and nonethical, the latter being aligned with the term ‘cracker’. Nonethical hackers have been categorized into different groups over the years ranging from high school pranksters who want to break into systems for the excitement right through to criminal hackers, who make a living at what they do. The Landreth Study was the first attempt used to classify these types of hackers and grouped them from novice through to thief. The novice category refers to mischievous individuals who seek excitement in breaking into systems like the high school kid example above, while the latter poses the greatest threat. The category of thief would most closely be aligned with that of a criminal hacker which they are commonly referred to nowadays and it is this group that poses the largest threat.
Jain (2008) distinguishes between nonethical and ethical hackers by pointing out that while hacking as an activity refers to the art of breaking into the system, it is the intentions of the hacker that make the activity criminal or ethical. Therefore a hacker with malicious intent is a criminal hacker and one who takes part in hacking to help others in exposing security flaws is an ethical hacker. Jain goes on to discuss the legal quandary as to how it can be proved whether or not the hacker has criminal intentions. This raises issues when we consider the possibilities that a potential innocent ethical hacker could be treated as a criminal or an unethical hacker getting away with a crime. Regardless of this legal grey area, Jain makes recommendations that IT security managers should consider hiring ethical hackers in order to assess how safe their information systems are. Palmer (2001) also suggests that organizations have come to realize that one of the best ways to evaluate the intruder threat to their interests is to have independent computer security professionals attempt to break into their computer systems.
Other concerns with ethical hacking surface when discussing the potential for an ethical hacker to change their intentions leading to malicious behavior. Pashel (2006) discusses the ethical implications of providing ethical hacking training and education to students and discusses the problem that the general population does not thoroughly understand computers and the damage that can be caused by the unethical use of them. Pashel concludes that with many skill sets, it is not unlikely that a handful of students would use their new found skills in a malicious way, however the benefits out way this by providing important skills in network security. Ethical hacking no doubt will continue to be scrutinized in different ways, however at the same time, professionals with these skill sets who use them in a non-malicious manner, will continue to be invaluable resources for companies needing to secure their networks as more advanced threats surface.
References:
- Jain, R. K. B. (2008). Hacking–Ethical or Criminal A Legal Quandary. ICFAI Journal of Information Technology, 49–56.
- Palmer, C. C. (2001). Ethical hacking. IBM Systems Journal, 40(3), 769–780.
- Pashel, B. A. (2006). Teaching students to hack: ethical implications in teaching students to hack at the university level. In Proceedings of the 3rd annual conference on Information security curriculum development (pp. 197–200). New York, NY, USA: ACM. doi:10.1145/1231047.1231088
