November 06, 2023Is Penetration Testing legal?Penetration testing, also referred to as a pen test, is a process by which vulnerabilities in a company's IT system are discovered.[1] The pentester simulates a cyber attack to find out if there are any holes in the system where a hacker could get in. However, as with anything else, there are some legal issues involved.
Blog post cover image

Whether you are trying to avoid security breaches to maintain the security of sensitive client (or company) information or you are just trying to determine how far your obligations go when it comes to information security, it's critical that you understand the legalities of penetration testing.

Bug Bounty Programs

Many tech companies offer bug bounty programs in which a pentester or ethical hacker/white hat hacker can make some extra money finding and reporting bugs in programs/software. The idea behind a bug bounty program is to offer an avenue for ethical hackers to report these security issues in exchange for a monetary reward.

However, while these programs do exist, they don't offer as much legal protection as one might think. We'll take a look at what is permitted in the world of pentesting below and some of the laws regarding pentesting.

What Is Permitted With Pentesting?

Since technology is always changing, there are questions regarding the legal protections in relation to the misuse of new tech or the jurisdiction that governs your organization and clients. One of the biggest issues with computer crimes is that the laws are not clearly defined. Therefore, a company must take action to protect itself from attacks on its internal servers and other information that could be at risk.

Since laws are not clearly defined when it comes to computer crimes, it can be hard to take action against these criminals. No matter how much evidence you gather, there is no guarantee that evidence will be admissible in court. However, due to the Patriot Act, laws can be passed quickly–which can help organizations ensure the safety/security of their sensitive data.

Another issue is that your employees may not always be up to date on the latest tech as the leadership may expect. This leads to a weakened due care/diligence, even though the employees may be giving their best efforts to make sure that they are maintaining due care/diligence. The issue is, if your employees are not well-trained on your tech, even the best efforts will not be enough.

What Laws Do Pentesters Need to Know?

While it's true that technology needs to be considered, the pentesters that you use need to be familiar with the latest legal concerns before they enter into the process of pentesting your site.

One of the major things they should be concerned with is the laws regarding port scanning. These vary from one state to the next, and if a pentester is not familiar with them, they could end up breaking the law and being charged with violation of the Computer Fraud and Abuse Act of America.

Some nations have laws that impede the ability of the pentester to be effective. For example, the UK recently amended their Computer Misuse Act to state that it's illegal to supply/offer to supply a program that could be used to commit or help commit a computer misuse act violation.

The biggest issue is that there are some security tools that are based on the intent of the user, which means there are some challenges to prove that this law is being broken. One of those challenges is whether the user of the tool is being ethical in their approach or not, which can't be accurately discovered easily.

Tips for Gaining Protection

In addition to outlining what the pentester will be doing and will not be doing, you should discuss the IP addresses, networks, computers, devices and subnets that will be involved in the pen test. If decompiling and review of software are part of the pentest, you must examine the copyright to the software to make sure that reverse engineering/code review is not prohibited.

In this case, the pentester needs to obtain paperwork from those who ordered the pentest that authorizes the pentest and acknowledge that the person authorizing the test has the ability to do so.

Cloud customers do not have the authority to blindly authorize testing of their network through the cloud. The test must be authorized by the cloud provider and the pentest must be restricted to the area of the network requested by the cloud customer. If that doesn't happen, the pentester could be charged with unauthorized access.

Things to Consider

One of the main things to keep in mind is how tight the pentester will need to scan the authorized systems. Additionally, the pentester will need to be given permission/authority to conduct the scan. You must be sure to give the pentester the parameters in which to conduct the scan so that they don't end up getting into something they're not supposed to. After all, these ethical hackers do not want to be charged with a cybercrime when they are doing a legitimate test to prevent black hat hackers from getting into a system.

Ten Commandments of Information Security

The Computer Security Institute [2] released a list of "Ten Commandments of Information Security". These are the do's and don'ts when it comes to information security. These are as follows:

  1. Thou shalt not use a computer to harm other people.
  2. Thou shalt not interfere with other people's computer work.
  3. Thou shalt not snoop around in other people's computer files.
  4. Thou shalt not use a computer to steal.
  5. Thou shalt not use a computer to bear false witness.
  6. Thou shalt not copy or use proprietary software for which you have not paid for.
  7. Thou shalt not use other people's computer resources without authorization or proper compensation.
  8. Thou shalt not appropriate other people's intellectual output.
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.

The main reason these "ten commandments" are so interesting is that it covers everything related to information security. These are not complicated at all–they simply state what is acceptable versus what is not acceptable when it comes to information security.

Final Thoughts

When discussing information security, it is clear that the laws that govern this area are always rapidly developing. Rules regarding what needs to be done to maintain clear information security are always evolving–as they should be. Technology is always evolving, and your policies and procedures regarding information security need to evolve as well.

[1],used%20to%20augment%20a%20web%20application%20firewall%20%28WAF%29; [2];