Professional Documents
Culture Documents
1/11/2016
dealing
with
some
hacker
attack
which
has
defence
reduce
technologies
the
risk
to
of
successful attack.
Despite the many millions of
dollars expended on research
and
development
in
IT
2012:
methods
to
successfully
Next Issue
BLOCKCHAINS a
Disruptive
Technology for all
Businesses but
what are the
Legal Implications
organisations
government
blockchains. Blockchains is
with
priorities,
diverse
sophisticated
need
technologies.
But
they
continue
to
enforcement,
for
and
collective
approachfor
true
IT
defence
This
on
be aware.
the
government
and
will
sectors.
have
very
computer
information
sharing
developed
sophisticated
concentrate
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486
on
these
Page | 2
Deployment of
security technology
groups
acquiring
have
the
intention
of
Intellectual
successful
which
decisions
hacking
These
principle
attack.
include,
who
Web
State
Sponsored
group
organisational
will
be
made.
confidential information or it
information.
sole
to
information
from
government
perspective
is
engage
Information
Officers
Chief
to
manage
their
respective organisations IT
infrastructure
because
this
of
organisations
these
in
the
data,
Confidential strategic
organisations.
business
is
and
its
as
organisational
terms
the
crown
Public
impost.
An
For
Available
Maintain integrity, and
Sometimes be subject to
confidentiality.
accidentally
components.
surreptitiously
The remaining
framework
has
been
or
left
open
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486
Page | 3
Hacker Classification
hackers.
provide
very
the
security
deployed.
deployed by an organisation.
report
recommendations
identified
systems
vulnerabilities.
the
necessary
Engaging an Ethical
Security Testing Team
There are many organisations
that provide ethical security
testing teams. All of the big 4
accounting
consulting
of
organisations
computer
are
involved).
also
be
an
secret
information
corporate
like
take-over
organisation
is
dependent.
organisation is a member of
Registered
Security
Testers).
This organisation
operates
under
close
have
to
possess
by
the
published
EH
the
owner
on
what
vulnerabilities.
EH will test
may
see
Ethical
security
hacker
to
IT
the
skilled
EH are essentially
Sometimes
the
hacker
Hat
hackers
are
in
general
IT
independent
is
the
IT
system
or
simply
general public.
sell
that
information
to
vulnerability
previously
is
un-identified
cases,
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486
the
In many
research
in their IT infrastructure.
research in IT security.
The
and
the
issues
organisations
should
also
This exercise
include
Software development
Companies
Software
development
companies should not underestimate the value of the
intellectual property they have
produced.
Even small
companies have competitors
who will eye their intellectual
property and will in some
cases undertake some not so
ethical activities to get hold of
their source code. There have
been cases where competitors
have engaged black hat
hackers to obtain a copy of a
targets source code.
The
engagement of an EH will at
least
identify
common
card
processing
and
scope-
reduction controls;
to undertake applicationlayer penetration tests which
include, at a minimum, the
vulnerabilities
listed
in
components
that
and
vulnerabilities
results
retained
should
and
be
what
Government Institutions
From a risk management
perspective, Governments are
always cognizant of political
risk which very rarely affects
the private sector.
Government institutions do
not want to be mentioned
unfavorably in the press and
as such they want to ensure
that
their
implemented
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486
public. Consequently, on an
(2)
annual
duty
authorization
basis
government
position
is
now
they
owe
to
the
without
(or
exceeded
organisation.
For
example
in
(4)
thereby
obtained
information.
From an EH perspective it is
for
the
and
(1990).
Computer
Fraud
In addition to these
Ethical Hacking
Contracts
accessed
an
attack
under
the
be permitted.
engagement of an EH is the
Rules
Behaviour.
and
possible
will details:
Target
organisation
to
cover
the
50
interest
of
established
the
the
by
(1) intentionally;
of
Engagement
This document
What is to be done;
When it is to commence;
When it is to be completed;
Who is to know about the
impending attack;
How the attack is to be
carried out; and
Sometimes even where the
attack is to originate and
which systems are to be
attacked.
to be penetrated.
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486
that
any
own
the
Cloud
IT
The EH should
legally
recognised
authorisation
has
been
agreement
which
regime.
Any
could
also
result
in
criminal prosecution.
Conclusion
The engagement of an EH is an
added tool in ensuring that
any
deployment
of
IT
accidentally or surreptitiously
have
been
settled
the
some
negotiated.
Notwithstanding,
From the EH
vulnerability.
the
treatment
is
infrastructure
where
it
may
become
tools
is
that
are
relatively
complicated especially if a
cloud
an EH.
infrastructure
is
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486
As
Page | 7
noted
previous
unknowns
thing
IT
treat
vulnerabilities;
tested
not
know.
unknowns unknowns as
In
as
in
a
secure
otherwise
it
could
the
perspective
IT
security
the
the
to
become
identifiable
but
reclassify
the
the
If you wish to subscribe or unsuscribe to this newsletter then please contact the author by
email at the above email address.
Further if you require any assistance with anything discussed in this newsletter then
please contact the author.
PLEASE NOTE this paper is NOT the provision of legal advice. If a reader has an issue
then they should seek appropriate legal advice. The author makes no warranty as
to correctness of anything contained in this paper. This paper is the sole opinion of
the author and must not be relied upon as legal advice. Every situation is different
and as such proper analysis must be undertaken when seeking a legal opinion.
Consequently, the author takes no responsibility for any errors that may exist in this
paper and certainly takes no responsibility if any reader takes any actions based on
what is (expressly or by implication) contained in this paper. All readers take full
responsibility for anything they may do in reliance of anything contained in this
paper.
Dr. Adrian McCullagh Ph.D., LL.B. (Hons), B.App.Sc. (Computing). Mob: 0401 646 486