Security ethics are guidelines for making appropriate decisions as a security professional. Being ethical requires that security professionals remain unbiased and maintain the security and confidentiality of private data. A strong sense of ethics helps navigate decisions to mitigate threats from constantly evolving tactics and techniques of threat actors.
- Legality: Deploying a counterattack on a threat actor is illegal due to laws like the Computer Fraud and Abuse Act of 1986 and the Cybersecurity Information Sharing Act of 2015.
- Defense Only: Security professionals in the U.S. can only defend, not counterattack.
- Vigilantism: Counterattacks are considered vigilantism.
- Vigilante: A person who is not a member of law enforcement but decides to stop a crime on their own.
- Risks: Counterattacks can lead to escalation, more damage, and harm.
- State-Sponsored Hacktivists: Counterattacks on state-sponsored hacktivists can have serious international implications.
- Hacktivist: A person who uses hacking to achieve a political goal.
- International Court of Justice (ICJ): Provides guidelines for counterattacks.
- Criteria for Counterattack:
- Only affects the party that attacked first.
- Is a direct communication asking the initial attacker to stop.
- Does not escalate the situation.
- Can be reversed.
- Criteria for Counterattack:
- Organizations: Typically avoid counterattacks due to uncertainty and potential for negative outcomes.
- Tallinn Manual: For more scenarios and ethical concerns from an international perspective.
- Definition: Only authorized users can access specific assets or data.
- Professional Ethics: Respect for privacy and safeguarding private assets and data.
- Definition: Safeguarding personal information from unauthorized use.
- PII and SPII:
- PII (Personally Identifiable Information): Information used to infer an individual's identity (e.g., name, phone number).
- SPII (Sensitive Personally Identifiable Information): A specific type of PII with stricter handling guidelines (e.g., social security numbers, credit card numbers).
- Ethical Obligation: Secure private information, identify vulnerabilities, manage risks, and align security with business goals.
- Definition: Rules recognized by a community and enforced by a governing entity.
- Ethical Obligations:
- Remain unbiased, conduct work honestly, responsibly, and with the highest respect for the law.
- Be transparent, just, and rely on evidence.
- Stay invested in the work to appropriately and ethically address issues.
- Stay informed and advance skills for the betterment of the cyber landscape.
- HIPAA: A U.S. federal law protecting patients' health information (PHI - Protected Health Information).
- Consent: Prohibits sharing patient information without consent.
- Ethical and Legal Obligation: Inform patients of a breach if their healthcare data is exposed.
- Importance of Ethics: Ethics will play a large role in your daily work as a security professional.
- Understanding Ethics and Laws: Helps make correct choices during security threats or incidents resulting in breaches.