Ethics and Port Scanning
Port scanning, for those who are not totally clear on the practice, is the ability for a computer to send specially tailored packets to another machine and receive a response packet in return. The response will tell the sender if ports are open or closed. Depending on the tool and method of scanning you use, you will also garner additional information such as: services available, present operating system, and tons more.
In this blog I will not be teaching you what port scanning is. Honestly a quick google of "what is port scanning?" will tell you what you need to know. Our discussion will revolve around the ethics of port scanning.
(I also understand that I am not a philosopher, however with my passion for security ethics is a topic that is always close at hand).
Why be concerned about ethics and port scanning? With this particular skill, ethics should never be far from your mind. These two concepts(ethics, port scanning) must be married together so that you, the avid system admin, understand how to conduct yourself "ethically" in the professional landscape.
Ethics deal with the "principles that govern the individual or group." I understand this definition of ethics is fairly general. However I thought I would share how I understand ethics and how it was taught to me by my IT Security Instructor over a decade ago. (Thanks Tim).
Ethics are a guiding principal for the individual. My personal ethics create a framework for what I think is right and wrong.
Ethics differ from morals generally in that there are some things that we as people think are wrong. Morals are over arching and ethics are more personal.
Now let's talk about port scanning:
Before we start I want you to picture a hammer. You know, the kind you use to slam a nail into a wood board.
What can you do with it?
In the hands of a skilled person one could build what ever they want. They could even, if the job required it, disassemble something that was built.
Now with that same hammer ask yourself this, could a person smash a car window and grab a purse that is sitting on the front seat?
Yes, it's possible.
Is the hammer bad? Did the hammer make the person build or destroy?
I say no.
In both of these cases there was clear intent. I want to build something, I use my hammer. I want to steal the purse, I use my hammer.
The hammer is a tool, just like port scanning is a tool. You can use port scanning for good and bad.
There are so many reasons to use port scanning.
Manage Assets: "What do we have on our network?"
-You could use port scanning to help with budgeting, like determining what percentage of present devices are still using old operating systems.
-Monitor for devices that should not be on network
-Analyze devices (printers for example) to assess open ports so you can connect to it.
-Analyze devices to audit your own network for security compliance.
The issue that people have is that quite often port scanning precedes a security event. For example: I scan your computer for open ports, I determine you have an old version of ssh. I bring up metasploit and I craft a exploit/payload tailored to your machine. Launch exploit. I now have full access to your machine. If I had determined the version of your ssh my attack would not have worked. I started with a port scan.
Now we begin to see how port scanning falls into a bit of a gray area. Port scanning's primary function is to check for open/closed ports. Should you be checking ports where you are not invited? There is a popular analogy about a person walking through a neighbourhood walking up to houses and checking door knobs to see if the door is unlocked. Is it bad to check doors? The person is not necessarily doing something "wrong." The problem here is that the act of checking the door is still invasive.
Pair this gray area with the fact that our legal system(Canada) really doesn't understand what port scanning is. It is unclear generally what can be done about folks who actively port scan. The only law that somewhat pertains to this activity is one in reference too tampering with radio frequencies. You could potentially get away with claiming you were just "knocking on the door."
***Personal Opinion Alert***
Port scanning is not new. It has been around a long time, the capabilities of the practice have grown immensely since it's conception.
The old guard ("powers that be", legal systems, etc.) who do not understand what the internet is, are "dyng out." They are being replaced with people who have never lived in a time where the internet was not a thing. Port scanning like other security norms, is known and present. Rules and laws will be built to protect organizations and individuals from supposed "attacks" brought on by port scans. I predict that the future of port scanning will be less gray and more black and white. Gone will be the days where we can scan without fear of reprisal.
So with all that being said. Hopefully you are clear on your own ethics. Read up on laws in your area so that you can understand the risks. Generally though, there are a couple things you should do.
1. Ask permission to scan
2. Build port scanning into your security policies