Is ethical hacking a cybercrime in SA?

The short answer: generally not, but it could be. Okay, so I’ve given you the short answer. Yay! But obviously, you need to know my reasoning so that when someone asks you if it’s a cybercrime, you can explain why it’s probably not. Also, you need to know when it could be a cybercrime so you can avoid that event.

At the end of this post, you’ll:

  • understand ethical hacking and its phases
  • know whether ethical hacking is a cybercrime under SA law
  • grasp a scenario where ethical hacking could be cybercrime and how to avoid it

What is ethical hacking?

Before I define ethical hacking, let’s start with a basic understanding of hacking.

What is hacking?

In simple terms, hacking refers to the event where a person or software bot exploits a vulnerability in a computer network to get access to data or software with or without having the authority to do so.

Let’s make this definition real with an example. Melon Husk, a disgruntled employee of Webb (Pty) Ltd, uses a software programme to access his CEO’s laptop—with or without the CEO’s permission—and tries to steal the company’s financial information.

What is a hacker?

A hacker is a person or bot that tries to access a computer system through a vulnerability in the system.

So, in the example above, Melon would be the hacker.

Unsurprisingly, most people automatically assume hackers are villains and that hacking is wrong. It’s unsurprising because the mainstream media and film have historically (and unimaginatively) portrayed hackers as having malevolent motives or being overzealous anarchists. Don’t believe me? Check out this list of hacking movies from 1954 to 2021.

But the reality is that there are different hackers and hacking. And each hacker has a specific motive.

3 types of hackers

  1. Black-hat hackers. They hack networks illegally, without authorisation, and for monetary gain.
  2. White-hat hackers. They hack networks legally, with authorisation, and expose network weaknesses to plug them and defend the organisation. As such, their hacking is “ethical”, and so they are also known as “ethical hackers”.
  3. Grey-hat hackers. They discover vulnerabilities in a network and report them to the network’s owner. But they do the hacking without authorisation and sometimes ask for payment. At first blush, it’s unclear whether their actions are illegal.

So, I define “ethical hacking” as the event where a person or software bot exploits a vulnerability in a computer network to access data or software with the authority to do so.

Why is it popular?

Ethical hacking is prevalent because it:

  • prevents malicious hackers from stealing your data and using your systems
  • helps you assess the strength of your network
  • identifies system vulnerabilities to strengthen them
  • implements network security to avoid breaches
  • enables you to facilitate trust with your stakeholders (customers, investors, and personnel) by ensuring the security of their data

6 phases of ethical hacking

After deep introspection and scolding from his mother, the hacker, Melon Husk, decides to make a career change and becomes an ethical hacker. Consequently, he advertises his services, and you choose to engage him to assess the strength of your network.

In providing you with his services, he goes through the following phases.

1. Reconnaissance

During the first phase, Melon gathers information about you, your computer network, and the people in your business.

Practically speaking, he conducts “dumpster diving” and “footprinting”.

  • Dumpster diving. He tries to find valuable information like old passwords and personnel details (especially in IT). And studies how your organisation functions.
  • Footprinting. Melon collects data on your organisation’s security posture (cybersecurity readiness). He performs both active and passive footprinting. With active footprinting, he interacts directly with your network to gather information, using software tools like Hping or Nmap. When it comes to passive footprinting, he tries to collect information about you without directly accessing your network. For instance, he’ll collect information via social media and public websites.

2. Scanning

Melon then tries to identify vulnerabilities in your system using software like Nexpose or Nmap.

There are three methods of scanning:

  1. Pre-attack. Melon scans the network for specific information based on the information gathered during reconnaissance.
  2. Port scanning or sniffing. Melon tries to get information about:
    1. open ports (ports enable devices to tell each other what to do with the data they receive over a shared network connection),
    2. live systems, and
    3. various services running on your network.
  3. Network mapping. Melon maps your network, routers, and firewall servers by drawing a network diagram. The map is a valuable guide throughout the hacking process.

3. Gaining access

Now that he’s identified the vulnerabilities, Melon tries to exploit the vulnerabilities by accessing the system, applications and network. He also escalates his user privileges to control the system.

4. Maintaining access

As Melon navigates the system, he puts measures in place to ensure he maintains ongoing access to the system.

For example, he creates backdoors for future attacks. How? He probably uses a penetration-testing tool called Metasploit to assist him. Alternatively, he uses:

  • trojans (malware that conceals their actual content to fool a user into thinking they’re harmless files),
  • rootkits (malicious software bundles designed to give unauthorised access to a computer or other software), or
  • other malicious files.

5. Clearing tracks

Then, Melon tries to keep the attack discreet by hiding indicators that the system is under attack. He does so by clearing the cache (a data storage layer) and cookies, manipulating the log files, and closing all the open ports. This step is a vital part of his attack because it makes him harder to trace and more challenging for you to find evidence of the attack.

6. Reporting

In the reporting phase, Melon reports his findings. The report:

  • identifies the vulnerabilities
  • specifies the software tools used for the attack
  • rates the success of the attack

Based on the report, you’ll be able to assess the strength of your systems to withstand hacking.

Is ethical hacking a cybercrime under SA law?

Generally, no.

My reasoning is the Cybercrimes Act doesn’t list or describe ethical hacking as a cybercrime, so it’s generally not a cybercrime under SA law.

Can ethical hacking be a cybercrime?

Yes.

Usually, when you contract with an ethical hacker, you enter into a services agreement with them. Beyond the standard legal terms in the agreement, there’ll be a statement of work (SOW). The SOW is crucial as it defines the scope of work the ethical hacker performs for you. In other words, in the SOW, you give the ethical hacker authority to perform ethical hacking on your network for a specific purpose.

But what happens if the ethical hacker exceeds this authority (in any of the ethical-hacking phases)? For instance, they may hack a network that doesn’t fall within the scope of the SOW.

Well, if they exceed the authority granted to them under the SOW, they’d be acting unlawfully. And the Cybercrimes Act says that unlawfully accessing or manipulating a computer network is a cybercrime. Boom! You’re a cyber-criminal.

Okay, so how do you prevent this from happening? Here are some tips:

  • Conduct thorough due diligence on your ethical hackers.
  • Negotiate tight SOWs by narrowing the scope of authority and reducing any scope changes to writing.
  • Deliver clear written instructions to your ethical hackers and agree on communication channels.

Actions you can take

  • Manage your ethical hacking relationships by asking us to draft solid ethical hacking services agreements for you.
  • Reduce your risk of committing cybercrime by asking us to train your ethical hackers on the pitfalls of exceeding SOWs.
  • Understand the impact of the Cybercrimes Act on your organisation by subscribing to our cybercrime programme.