Penetration tests (pen tests) should be a staple at any business that handles sensitive information. Pen tests are essentially authorized simulated attacks on a computer system to assess the strength of its security.
But, what are the legal and ethical aspects of penetration testing? And how are client’s sensitive information protected during this process?
Today, we’ll be covering the top legal and ethical considerations of pen testing and what you should consider if you’re planning on running them.
1. Legal Authority
Pen testing means that you’re authorizing a hacker to “break in” to a computer or computer network. Ethical hackers (hackers authorized to break into computers) are hired to attempt to penetrate a system or test the security of computer systems.
Ethical hackers often work for large data and tech firms, and hold a data science degree. Luckily, clients aren’t expected to pay the average data scientist’s salary and instead will pay for the entire service.
By authorizing the “attack” security teams can test their systems without placing their information and data at risk. This gives IT teams the chance to fix any bugs and weak points in their systems and keep their systems up to date with the latest technological advances.
However, even when authorized, pen tests are not without legal risks. Therefore, all parties involved should enter into a contract that clearly outlines the aims of the test. This should include the range of IP addresses, subnets, computer networks, and devices that will be subject to the test.
Having a contract protects both the tester and the company.
2. Damage Control
Pen testing can potentially interrupt and impact user systems, especially if you’re testing a production or live system. Therefore, we advise you to send your users notifications about when pen tests are being run to avoid the potential harm, damage, or disruption caused by the test.
The notification should also provide an explanation of the purpose of the pen test so that customers understand the need for the pen test. It is important that customers understand that if they are engaging with user systems it can cause disruptions.
By keeping users informed, and remaining transparent, companies can avoid a ton of legal and ethical issues and improve their cybersecurity practices.
3. Indemnification
As mentioned before, we strongly recommend having an effective legal team draw up contracts between the pen tester and the client. We also recommend that contracts are drawn up with any third-party players.
Think about it this way, should the pen test cause damage to any important information or documents like patents, the owners of that information could sue. Having a contract drawn up would avoid this issue.
Alternatively, you could also back up any important information on a separate computer network. However, having the proper contracts in place will provide an extra layer of protection. The contract should specify responsibility for damages and indemnify the customer for any damages.
The scope of indemnification should consider potential issues like incorrect IP address ranges or potential injuries from the FBI.
4. Scope of Work
Your pen test agreement should clearly outline what will be done, what won’t be done, and any underlying assumptions in the agreement. For example, if the pen test is merely an “external” vulnerability assessment, the perimeter (what is “external”) and scope of the test must be defined.
The same is true for an internal pen test, which includes what is being tested, how it is being tested, and for what reason. Avoid phrases like “state of the art,” which have no actual meaning and just serve to raise expectations.
Similarly, the assumptions behind the pen test must be defined. The pen tester will rely on the client to choose which systems should and should not be evaluated. Clearly defining your scope of work and having this in writing will help avoid any confusion and potential legal issues.
5. Licensing and Certification
A pen tester, or firms offering pen testing, need the proper licensing and certification. For example, the GIAC offers penetration testing certification (GPEN) and the IACRB provides pen testing proficiency certification (CEPT).
Having the proper licensing is important if, for example, you’re requested to present your findings in court. This is common in legal issues and investigations that require computer forensics, incident response investigations, or expert witness evidence.
6. Privacy Issues
A successful pen test can allow the pen tester to get access to a computer or computer network that they should not have been able to access.
Accessing data or databases containing sensitive personal information, credit card information, personally identifiable information (PII), or Private Health Information (PHI) may also be included.
The pen test may expose the tester to sensitive information that they shouldn’t necessarily have access to. However, should this breach be reported?
The simple answer is yes. Especially if it violates the scope of work outlined in the contract. While these things are preventable, we strongly recommend that you make provisions for these breaks when the contract is drawn up.
Digital Web Services (DWS) is a leading IT company specializing in Software Development, Web Application Development, Website Designing, and Digital Marketing. Here are providing all kinds of services and solutions for the digital transformation of any business and website.