When doing their work, cybersecurity professionals often come across situations that put their skills to the test. And sometimes those tests have far less to do with technology or business than with questions of ethics.
When cyber professionals discover vulnerabilities while performing penetration tests or some other security-related work, is it OK to disclose those vulnerabilities publicly? What happens if system owners are made aware of issues but decide to ignore them? And at which point, while testing systems containing private information, do cyber professionals reach a line they should not cross?
These questions were part of a lively panel discussion today at the (ISC)2 Security Congress 2019, taking place in Orlando this week. The session, “Ethics Dilemmas Information Security Professionals Face,” was moderated by Biljana Cerin, CISSP, CEO of Ostendo Consulting and Chair of the (ISC)2 Ethics Commission. Joining her were committee members Wim Remes, CISSP, Founder and Principal Consultant of NRJ Security; William H. Murray, CISSP, retired security professional; and William Campbell, President of Predictable Solutions.
Legal Coverage
Much of the discussion centered on the ethical boundaries of penetration testing. There have been cases in which security researchers were arrested for doing their work. To avoid such a fate, Remes stressed the importance of clarity upfront.
“Make sure there is a clear contract,” Remes said. “The contract is where everything starts and and stops.”
Sometimes, during penetration tests, researchers may find vulnerabilities in third-party systems, which raises questions on how to proceed. If the client, who is paying the security consultant, decides not to notify the third party, it can create an ethical dilemma for the consultant.
In such situa ..
Support the originator by clicking the read the rest link below.
