Security Ripcord

There has been a lot of talk about Ethics lately in several Podcasts and blogs. Paul, Larry, and “Twitchy” have really pushed it to the forefront in their show Security Weekly where they have addressed Wireless Piggybacking (Special Edition – Open Show) and teachers assigning social engineering projects for their students (Episode 24). Michael Santarcangelo has just talked to Randal L. Schwartz on his show The Security Catalyst (Episode 26) about his experience with the law and how it has affected his life. Mark Russinovich has informed us of his company’s dealings with Best Buy and how they handle licensed software. Douglas E. Welch, of Career Opportunities, recently talked about being truthful and straight forward in the work place and life (April 21 edition). And, as a member of the SANS Advisory Board and Ethics Council, I have been exposed to several situations regarding ethics.

The point that I have really taken from these recent experiences is that ethics can be hard. Sure the right choice is usually easy to make. For instance, I currently work for a company that requires every employee to have a security clearance. Three weeks ago, when I was walking through one of the conference rooms, I noticed 51 cents on a table. It must have been forgotten by some unknown individual after removing it from his or her pocket to grab a business card or something. Today, as I walked through the same conference room, I noticed the same 51 cents pushed to the back of the table but still visible to everybody entering or leaving the conference room. I started thinking about what we could contribute this to as I walked away. Could it be the fact that we have a bunch of honest employees who are paid well and do not need 51 cents? Could it be that most of them are afraid that this might be a setup by security and pocketing the 51 cents could mean their job? Could it mean that “Twitchy” hasn’t walked through the room, or maybe he did but somebody yelled out “Popcorn?” Or could it be that deep down inside people believed that it was not ethical to take the 51 cents because the owner might come back for it one day?

Actually, I think that it is a little bit of everything. Despite what we see on the news everyday I like to think that most people are honest and good (everybody says this but it is true). Despite how we all tend to trust people to be honest I think that there are people out there who just don’t care. And I also think that there are people out there who like to walk the line stepping one way or the other when it suits them best. And lastly I like to think that there are people out there who are honest and good but who like to challenge the system in an attempt to keep the norm from controlling every situation and ensuring that the boundaries of everyday life do not impose themselves on them. It is this last bunch of individuals that are really addressing the hard ethics questions, or, at least, bringing them to the forefront for all to ponder.

Is port scanning the Internet okay? Is vulnerability scanning the Internet okay? Is piggybacking an unencrypted wireless connection okay? Is packet sniffing the college dormitories network after crawling through the ceiling tiles to get to the switch closet because the door was locked and they should have thought of the ceiling tiles if they wanted to secure the closet okay? The answers to these questions are yes, no, and maybe. Not in that order and of course, the answers are different to everybody. The point is that people are going to push the limits a little bit to determine what is socially acceptable and what is not. Generally these are kids who are exploring their boundaries and we can usually chalk it up to inexperience. It is when these individuals are adults, with a more defined understanding of right and wrong, that we need to be more careful or, if you will, distrusting.

I am starting to see how important it is for people to be flexible in their thinking and yet setting the example in their actions. Defining policy is the most effective way to inform people of where the boundaries lay. Publishing these policies and having open discussions about them are the only way that these policies are going to grow and change with the times. Holding people accountable for blatant violations of policy is a must to set the example of unacceptable behavior. But compassion, understanding, and trust in human nature to not intentionally harm other people and things has to be remembered and considered during any decision making.

I would like to thank all of the people mentioned here for the wonderful insights and opinions. I ask them all to stay true to themselves and to keep pushing society through their actions. And I ask all of you to get permission before you do any port or vulnerability scanning and (cough – cough) wireless piggybacking. And please do not climb in the ceiling, it may be ethically questionable but it is definately dangerous.

Cutaway

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.