Keeping it Legal | Ethical Hacking, Ethics, and Legality



An ethical hacker should know the penalties of unauthorized hacking into a system. No ethical hacking activities associated with a network-penetration test or security audit should begin until a signed legal document giving the ethical hacker express permission to perform the hacking activities is received from the target organization. Ethical hackers need to be judicious with their hacking skills and recognize the consequences of misusing those skills.
Computer crimes can be broadly categorized into two categories: crimes facilitated by a computer and crimes where the computer is the target.
The most important U.S. laws regarding computer crimes are described in the following sections. Although the CEH exam is international in scope, make sure you familiarize yourself with these U.S. statutes and the punishment for hacking. Remember, intent doesn't make a hacker above the law; even an ethical hacker can be prosecuted for breaking these laws.

Cyber Security Enhancement Act and SPY ACT

The Cyber Security Enhancement Act of 2002 mandates life sentences for hackers who "recklessly" endanger the lives of others. Malicious hackers who create a life-threatening situation by attacking computer networks for transportation systems, power companies, or other public services or utilities can be prosecuted under this law.
The Securely Protect Yourself Against Cyber Trespass Act of 2007 (SPY ACT) deals with the use of spyware on computer systems and essentially prohibits the following:
  • Taking remote control of a computer when you have not been authorized to do so
  • Using a computer to send unsolicited information to people (commonly known as spamming)
  • Redirecting a web browser to another site that is not authorized by the user
  • Displaying advertisements that cause the user to have to close out of the web browser (pop-up windows)
  • Collecting personal information using keystroke logging
  • Changing the default web page of the browser
  • Misleading users so they click on a web page link or duplicating a similar web page to mislead a user
The SPY ACT is important in that it starts to recognize annoying pop-ups and spam as more than mere annoyances and as real hacking attempts. The SPY ACT lays a foundation for prosecuting hackers that use spam, pop-ups, and links in emails.

18 USC §1029 and 1030

The U.S. Code categorizes and defines the laws of the United States by titles. Title 18 details "Crimes and Criminal Procedure." Section 1029, "Fraud and related activity in connection with access devices," states that if you produce, sell, or use counterfeit access devices or telecommunications instruments with intent to commit fraud and obtain services or products with a value over $1,000, you have broken the law. Section 1029 criminalizes the misuse of computer passwords and other access devices such as token cards.
Section 1030, "Fraud and related activity in connection with computers," prohibits accessing protected computers without permission and causing damage. This statute criminalizes the spreading of viruses and worms and breaking into computer systems by unauthorized individuals.

U.S. State Laws

In addition to federal laws, many states have their own laws associated with hacking and auditing computer networks and systems. When performing penetration testing, review the applicable state laws to ensure that you are staying on the right side of the law. In many cases, a signed testing contract and NDA will suffice as to the intent and nature of the testing.
The National Security Institute has a website listing all the state laws applicable to computer crimes. The URL is

Federal Managers Financial Integrity Act

The Federal Managers Financial Integrity Act of 1982 (FMFIA) is basically a responsibility act to ensure that those managing financial accounts are doing so with the utmost responsibility and are ensuring the protection of the assets. This description can be construed to encompass all measurable safeguards to protect the assets from a hacking attempt. The act essentially ensures that
  • Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation.
  • Costs are in compliance with applicable laws.
The FMFIA is important to ethical hacking as it places the responsibility on an organization for the appropriate use of funds and other assets. Consequently, this law requires management to be responsible for the security of the organization and to ensure the appropriate safeguards against hacking attacks.

Freedom of Information Act (FOIA)

The Freedom of Information Act (5 USC 552), or FoIA, makes many pieces of information and documents about organizations public. Most records and government documents can be obtained via the FoIA. Any information gathered using this act is fair game when you are performing reconnaissance and information gathering about a potential target.

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) basically gives ethical hackers the power to do the types of testing they perform and makes it a mandatory requirement for government agencies.
FISMA requires that each federal agency develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The information security program must include the following:
  • Periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency
  • Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each agency information system
  • Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate
  • Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the agency) of the information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks
  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices (including the management, operational, and technical controls of every agency information system identified in their inventory) with a frequency depending on risk, but no less than annually
  • A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency
  • Procedures for detecting, reporting, and responding to security incidents (including mitigating risks associated with such incidents before substantial damage is done and notifying and consulting with the federal information security incident response center, and as appropriate, law enforcement agencies, relevant Offices of Inspector General, and any other agency or office, in accordance with law or as directed by the President
  • Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency
This act is guaranteed job security for ethical white hat hackers to perform continual security audits of government agencies and other organizations.

Privacy Act of 1974

The Privacy Act of 1974 (5 USC 552a) ensures nondisclosure of personal information and ensures that government agencies are not disclosing information without the prior written consent of the person whose information is in question.

USA PATRIOT Act

This act, with the official name Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, gives the government the authority to intercept voice communications in computer hacking and other types of investigations. The Patriot Act was enacted primarily to deal with terrorist activity but can also be construed as a wiretap mechanism to discover and prevent hacking attempts.

Government Paperwork Elimination Act (GPEA)

The Government Paperwork Elimination Act (GPEA) of 1998 requires federal agencies to allow people the option of using electronic communications when interacting with a government agency. GPEA also encourages the use of electronic signatures. When valuable government information is stored in electronic format, the targets and stakes for hackers is increased.

Cyber Laws in other Countries

Other countries each have their own applicable laws regarding protection of information and hacking attacks. When you're performing penetration testing for international organizations, it is imperative to check the laws of the governing nation to make sure the testing is legal in the country. With the use of the Internet and remote attacks, regional and international borders can be crossed very quickly. When you're performing an outside remote attack, the data may be stored on servers in another country and the laws of that country may apply. It is better to be safe than sorry, so do the research prior to engaging in a penetration test for an international entity. In some countries, laws may be more lenient than in the United States, and this fact may work to your advantage as you perform information gathering.

No comments:

Post a Comment

Popular Posts