A legal agreement is beneficial for both parties. Keep in mind that regulations change from country to country, so keep up to date with the laws of your respective country. Only sign an agreement after taking into account the respective laws. For example, security expert Scott Moulten performed a penetration test on the security of a Georgia city when they wanted to connect their network to the county network for which Moulten provided e911 services. Moulten ran a port and throughput analysis test on that city`s network to determine if the computers were vulnerable to exploits. When the analysis of the port of Moulten revealed significant vulnerabilities, he reported them to his employer and client, the county. Embarrassed by the results, the city called the Georgia Bureau of Investigation, which searched and seized his computer and arrested him for violating Georgia`s computer crime laws. The Act makes it an offence to use a computer with the intent to “obstruct, interrupt or interfere in any way with the use of a computer program or data. regardless of the duration of the change, damage or malfunction. As the port`s analysis slowed down the computer indefinitely, the government suspected Moulten of breaking the law. The illegal aspects of penetration testing mainly focus on data leaks, backdoors, and damage.
The same applies to penetration testing systems that are not under the customer`s control. Be careful here. It is not clear what gives a customer the right to authorize a penetration test. Property? Intellectual property rights? Are you renting an IP range? Software licenses? It`s one thing to “own” a house, another to rent it. By the way, when you do a penetration test, what do you test? Physical security? Logical security? Software security? Software requirements? Hardware requirements? Parameters? Does the fact that a company rents hardware, licenses software and leases space affect its ability to consent? Another topic for lawyers. Before anyone is allowed to test sensitive data, companies typically take action regarding data availability, confidentiality, and integrity. For this agreement to be in force, regulatory compliance is a necessary activity for an organization. A similar view on penetration testing is shared by the UK`s national DPA – the Information Commissioner`s Office (ICO) – which continues to enforce the UK`s GDPR after Brexit.
In its comprehensive guide to the UK`s GDPR, the ICO specifically mentions penetration testing as a sustainable way to ensure the effectiveness of your existing security measures. In addition, the ICO has made it clear in its fine notice for the famous British Airways case (ref. COM0783542) (sections 6.53-6.56 and 6.66) that inappropriate or rarely performed penetration tests are an aggravating factor, which may indicate a breach of the security requirements of the GDPR, among others. The tester is unknown to his client – why he should have access to sensitive data. Cloud customers also can`t blindly allow their network to be tested via the cloud. The cloud provider must also allow penetration testing and ensure that penetration testing is limited exclusively to the area of the network requested by the cloud client. If this does not happen, the cloud provider could sue the pen tester for unauthorized access. Another issue that needs to be addressed is the issue of “standard of care” or “professionalism.” What type of penetration testing do you perform? Do you only perform port scanning? Turn on NESSUS and leave? And what do you guarantee and represent that you will find? A typical penetration test should ensure that the penetration tester uses the kind of professionalism and skills that are common in the industry, but does not promise that the test will find all or even almost all vulnerabilities or misconfigurations. Keep in mind that documenting the lack of results is just as important as documenting the results yourself.
Never touch systems or networks that do not belong to you unless you have a legal agreement that allows you to perform certain actions on them. If you have a legal agreement, only perform actions that fall within the scope and conduct of the agreement. To practice with penetration testing tools and techniques, set up your own environment or use one explicitly designed for everyone. Online resources such as Hack The Box and VulnHub provide a controlled environment for practicing penetration testing skills. It is important to note that just because a pen tester is allowed to test something, they must always act in the best interest of the customer. Saying that the client has the penetration test report creates another problem. Networks are rarely autonomous. They are interconnected. What should a pen tester do if they discover major vulnerabilities that affect customers, third parties, or the population as a whole? Is it their duty to simply tell the customer and remain silent? What happens if they discover a zero-day vulnerability that can have system-wide or industry-wide impacts? What should they do then? Even if the customer “owns” the data, does this mean they can control the use of the knowledge the pen tester receives? It is all a question of what the treaty says and what the courts will apply.
This means that a tester needs to know what the tool does before using it and should test it to avoid unintended consequences. You also need to define things, such as when the penetration test will be performed (what does “off-peak” mean?), the type of access required to perform the penetration test, the type of collaboration required to make the test meaningful, and the scope (and nature) of the notification before the test begins. They don`t want surprises. Penetration testing is legal in all fifty U.S. states, including California. The story illustrates some of the dangers associated with penetration testing. While there are many practical questions, there are many legal issues that pen testers need to address, preferably before they start committing. The following is a brief introduction to things to consider.
The U.S. HHS Office of Civil Rights (OCR) is the nation`s primary HIPAA enforcement official. OCR recently released a detailed security and privacy assessment framework for the Centers for Medicare & Medicaid Service (CMS) with a section dedicated to penetration testing. You must consider the extent of this compensation. What happens if the client provides you with the wrong IP address range and you “hack” the wrong person? Compensation may include damage caused by the other system, which must react and/or insure itself. But what if the FBI breaks down the door of one of your pen testers and hurts (or worse) the pen tester, a colleague, or a family member because someone flagged the pen tester as a “hacker”? Who is then responsible for the damage? Again, these are all negotiating points, but you won`t know if you don`t ask. The modern penetration testing market has its roots in the so-called ethical hacking industry, which originated in the late 90s. Today, countless vendors of all sizes compete in the growing global market, while many companies still view penetration testing only as an optional best practice or a tedious annual exercise imposed by internal security policy. Others are more interested in a “clean” summary of penetration tests that they can share with customers, partners or investors.
