Lab401 is Europe's leading partner for pentesters, security professionals and law enforcement. Our tools and learning materials are provided to allow authorized security auditing and security analysis by professionals, as permitted under local and international laws.
It is important for security professionals to understand and adhere to their legal, moral and professional engagements.
Below is a non-exhaustive guide for understanding how to ensure compliance during security audits.
The goal of an ethical hacker is simple: attack and infiltrate company networks before malicious actors have the chance. By identifying key network, software and hardware vulnerabilities, ethical hackers help organizations identify potential weaknesses, design better defences, and deploy improved risk mitigation strategies.
As noted by the U.S. Bureau of Labor Statistics, there’s an increasing demand for trained and truthful hackers. Over the next eight years, the agency predicts “much faster than average” job growth with a 32% increase in available positions. As malicious actors leverage everything from advanced, fileless malware techniques to open-source vulnerabilities and old-school phishing attacks, it makes sense that enterprises need experienced, ethical hackers to help shore up key defences.
Ethical hackers are now essential to securing new technology systems, such as the Internet of Things (IoT). According to the FDA, for example, white-hat hackers helped uncover critical issues with connected heart monitors that made it possible for attackers to control these devices and change implant settings remotely.
But given the natural grey area occupied by ethical hackers, how do IT professionals — and organizations — ensure adequate security even as they compromise vital systems?
Hats off to hackers
When it comes to breaking rules in the right way, three components are critical:
As a result, it’s worth examining the three common classes — or “hats” — of hackers and how they impact IT outcomes:
Black Hat — these hackers are the stereotypical “bad guys” — they compromise and infiltrate systems to cause harm or steal data. Black hat hackers may steal and exfiltrate information, install ransomware and demand payment, or damage key systems. These attackers may operate alone or in groups and obey no regulatory codes.
Lab401 does not endorse or condone any "black-hat" or illegal activity.
Grey Hat — this hacker often has good intentions but operates outside the legal frameworks that govern IT security. They may use common vulnerabilities or free hacking tools to compromise enterprise systems or software and then warn designers and developers that flaws exist.
Lab401 does not endorse or condone any "grey-hat" or illegal activity.
White Hat — these hackers operate with the express permission of enterprises. In some cases, they’re directly employed by companies; in others, they operate as contractors or part of third-party services. They may perform penetration tests or “red team” exercises designed to infiltrate systems and report their findings actively. White hat hackers combine intention and regulation to enhance IT security.
While any IT professional can assume the role of white hat hacker with corporate permission, many organizations are now looking for staff with specific certifications that speak to their attack acumen and security skillset. Popular qualifications include:
Certified Ethical Hacker (CEH) — this EC-Council certification evaluates the ability of IT professionals to identify, address, and remediate key security concerns
Global Information Assurance Certification (GIAC) — managed by the SANS Institute, the GIAC program offers a variety of ethical hacking-focused qualifications such as the GIAC Penetration Tester certification
Offensive Security Certified Professional (OSCP) — designed for experienced IT professionals; this highly technical certification focuses on active system hacking that demonstrates a clear understanding of the penetration testing process
Laws and order
Because ethical hackers exist at the intersection of cybersecurity and system compromise, frameworks have been developed to define key roles and describe essential obligations. These rules fall into three broad categories:
Government regulations — legislation varies by location — for example, the California Consumer Privacy Act (CCPA) governs the corporate collection, storage, and transmission of consumer data. This means ethical hackers must take care not to expose or compromise this data while evaluating enterprise systems. The federal Computer Fraud and Abuse Act (CFAA), meanwhile, defines specific penalties for “accessing a computer and obtaining information” or “negligently causing damage and loss by intentional access.” As a result, it’s critical for ethical hackers to ensure all corporate hacking plans come with supporting documentation to prevent potential prosecution.
Enterprise expectations — ethical hacking requires detailed documentation to ensure companies get the results they’re looking for, and IT professionals have clearly-defined boundaries. For example, enterprises may want specific systems or software tested, and others left alone — clear expectations combined with written direction ensures ethical actors and enterprises are on the same page. And this helps avoid potential problems after contracts are concluded, or IT professionals leave for another opportunity.
Professional obligations — white hat hackers are also governed by professional obligations laid out by certification-granting bodies. For example, the EC-Council’s code of ethics comes with specific direction for IT pros, including:
- Protection of intellectual property
- Disclosure of potential damage or harm to affected parties
- Use of IT property and networks only as authorized
- Prioritizing ethical conduct and professional care
Failure to comply with these ethical obligations will result in the loss of ethical hacking certifications.
Furthermore, Lab401 provides its tools and training specifically and uniquely for use in ethical and legal situations. Users are solely responsible for compliance with all laws of their locality. Lab401 holds no responsibility for unauthorized or unlawful use.
These rules are formalised in our Terms and Conditions of sale, and are legally binding engagements: for more information, please refer to our Terms and Conditions.