INVITATION TO CYBERSECURITY 258 Before the pentesting began, Bob had done everything by the book. He had the client sign a permission memo and a limited liability agreement, he carefully defined the scope of the tests and the rules of engagement, and he signed a non-disclosure agreement. During the tests, after he gained root access to a server, he pivoted to the local area network router, set up a packet sniffer, and let it run overnight. When he collected the PCAP file the next day for analysis, he was surprised to see that he had captured unencrypted VOIP traffic from the night before. At this point, he realized his testing scope was not as comprehensive as he thought it was. VOIP traffic was not expressly forbidden, but then again, the client may not have realized that their agreeing to the collection of all network traffic might include plaintext phone calls. Bob’s curiosity got the best of him, however, and as his heart raced as it often did during his hacking escapades, he listened to the late night call. It turned out to be a personal conversation between the president of the organization, who was the one who hired Bob, and the president’s wife. They were discussing a serious and private medical condition. Immediately afterwards, Bob’s heart sank. He realized that he had crossed a line and violated the trust of his client—even if it was in scope to listen to VOIP traffic, listening to a call that took place after normal business hours would be difficult to justify. But now he was not sure what to do. Like much of what happens in cyberspace, Bob reasoned that there was no way anybody would ever discover what he had done. Even on the off chance that someone might realize he had access to VOIP traffic during the pentest, Bob could convincingly deny that he ever listened to any of the calls. Plus, he was pretty sure that he was under no legal obligation to report the incident. Besides, if he confessed what he had done, not only would it create awkwardness between him and the client, but it could result in him being fired from the project, and it could damage his reputation as an ethical hacker. But on the other hand, something seemed unethical about not coming clean about his lapse of judgement... 10.1.1.1 Affected Parties “The principles of justice are chosen behind a veil of ignorance.” - John Rawls The first step in an ethical analysis is to pause and consider how the action will affect others and not just oneself. Ethical paradigms are concerned with the impact of the action on all of the affected parties. The affected parties are all the people who will be impacted by the decision. Some of the affected parties may not be obvious—it takes careful thought to consider who all may be impacted. Identifying the affected parties is a crucial step in formulating a robust ethical analysis.
RkJQdWJsaXNoZXIy MTM4ODY=