Law firm risk management. Issues and trends. New business intake, conflicts management, ethical screens, information security, confidentiality compliance, legal. Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial. Social Engineering Is It Ethical When I speak to people non Infosec passionate types about the work and research I do around the content I post on Head Hacker, I normally get a few responses. Shock, Disgust and Intrigue. People are shocked because they are not aware of some of these skills and process, they are disgusted because its not right, its not ethical, and a breach of human rights, and then we have the intrigue as I start to really explain what its all about, and what I am doing. People are curious of how this knowledge can help and protect them. So this got me thinking, perhaps I should write a post on why I think people think social engineering is unethical, and why I consider the majority to be ethical, I do think in some circumstances there is a grey area. Ethical Hacking Rules Of Engagement Imdb' title='Ethical Hacking Rules Of Engagement Imdb' />Weve all been forced to do it create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Okay, lets talk about a very serious topic bath mats. Is there a right and wrong way to use them On Friday, Guantnamo death penalty lawyer Richard Kammen announced in a press release that Brig. Gen. John Baker, the Chief Defense Counsel for the Military. Hello all you horrendous love treats, and welcome to Ask Dr. NerdLove, the only dating advice column thats bigger than Knack II. As one of the Souths most innovative institutions in teaching and learning, Kennesaw State University offers undergraduate, graduate and doctoral degrees across two. Ethical Hacking Rules Of Engagement Episode' title='Ethical Hacking Rules Of Engagement Episode' />Ethical Hacking Rules Of Engagement BiancaI have asked quite a few people about their ethical standpoint when it comes to social engineering, as I have on a couple of occasions had semi heated discussions with organisations about techniques that can and cant be used on an engagement. I personally find most professionals ethical in their approach, but some comments from some do make me shudder. I am confident in the fact that I only operate in areas where I feel comfortable that I will be operating in an ethical manner, other areas I have not quite figured out continue to be researched and debated both internally and externally. In the research I have done on ethics of social engineering, I have really not found there to be anything about, perhaps people dont care I think it is a real issue that all professionals should consider, and take time to reflect upon. Why people think Social Engineering is unethical. In my experience most people say social engineering is unethical because you are tricking, or conning someone, stealing data about them, using the information to access sensitive information, get free stuff, gain entry and generally manipulate people to do things, or disclose information. Install Internet Connection Sharing Win 7. I totally understand this thought process, and in a way I think they are correct, there are people out there doing this, and they are both good and very effective with the skills they have, they have become life time criminals. The key issue here is the perception and its a negative one. Not everyone uses their knowledge and skills for breaking the law, they use their skills and knowledge to better the populous, inform and educate to make people less likely to become a victim. The truth of the matter is, you dont really stand a chance of beating the bad guys unless you are exposing yourself to the same skills, tools and environments. In an effort to draw an example, medicine can be used to cure and relieve pain in the right hands. The same medicine in the wrong hands and with the wrong intent can be used to inflict pain, and even kill. Knowledge, process, tools, etc can all be used for positive and negative, its the individual who is responsible for the actions and result. Why and how I think Social Engineering can be ethical. The first reason I think social engineering is ethical is due to the intent. Now I am not saying that the outcome of the exercise may enable someone to do something malicious, but I dont think this is a justifiable reason not to gain knowledge, research, test and experiment. If we never did this, the human race wouldnt evolve. So I feel that any social engineering engagement or activity I undertake or become involved in is for a positive outcome and where appropriate I always seek permission at a high level, and understand any specific areas that are no go, as well as using my own common sense and experiences to guide me. People intentionally manipulate people every day we have all been doing this since birth. We all have different reasons for manipulation perhaps we feel it would be best for the person, or best for us. When we negotiate to get a reduction on an item we are buying, this is a form of manipulation, but as we feel we are not harming anyone, its considered ethically and morally ok. So I feel that if you are researching, carrying out SE with permission, and using the information to benefit people, and educate and bring awareness it can be ethical, and this is certainly how I believe I go about things. Its a little grey. So there are some grey areas. Can an organisation give you permission to manipulate and extract information from the staff they employShould people who are subject to social engineering activities be punished for being the weak link in the chain If you gain generic permission, lets say to hypnotise, then you use this permission to extract sensitive data, is that okI am sure we can all think of many more situations that are not so clear. To be honest, when it comes to these grey areas I am not sure on all the answers. However I try to limit these grey areas by defining up front in an appropriate level of detail what could happen as part of the assessment, types of scenarios and ways to extract data, and that individuals will not be named in reports. Obviously the company may use other techniques to help identify how this information was gained, but that is outside my scope of responsibility. So to that end I would say that I am operating in an ethical manner, and so would anyone else that has considered the above issues. When in doubt dont do it, if your internal ethical and moral compass is unable to guide you, get additional information and input from others who are in an informed and experienced position. I certainly dont think the grey areas are reasons not to carry out social engineering engagements, the criminals are not concerned about ethics, and to test we need to adopt this mindset to a certain degree. It is also important to share our thoughts and research, and we have to let the individuals dig further and use this information as they feel is most appropriate. So to conclude, if you are interested in social engineering, and you want to work with, investigate and research the skills associated, do so in a professional and ethical manner, be mindful of what youre planning, put yourself in the subjects position, how would you feel if someone did to you, what you are planning on doing to them. If youre happy, then its most like a good sign you will be operating in an ethical manner. No one has all the answers, but its a conversation worth having, and to continually question is a good thing. I hope people reading this will want to share their thoughts and experiences, so I welcome and look forward to reading your comments.