In addition to specifying exactly what a penetration tester will and will not do, the range of IP addresses, subnets, computers, networks, or devices that will undergo penetration testing should also be discussed. If verification and decompilation of software is to be included, the copyright in the software must be reviewed to ensure that the copyright allows, and does not prohibit, reverse engineering or revision of the associated software code. The penetration tester must receive documents from those who authorize the penetration test, who specifically approves the penetration test, and that the client who authorizes the penetration test has the authority to do so. The same applies to penetration testing systems that are not under the customer`s control. Be careful here. It is not clear what gives a customer the right to authorize a penetration test. Property? Intellectual property rights? Are you renting an IP range? Software licenses? It`s one thing to “own” a house, another to rent it. By the way, when you do a penetration test, what do you test? Physical security? Logical security? Software security? Software requirements? Hardware requirements? Parameters? Does the fact that a company rents hardware, licenses software and leases space affect its ability to consent? Another topic for lawyers. You must consider the extent of this compensation. What happens if the client provides you with the wrong IP address range and you “hack” the wrong person? Compensation may include damage caused by the other system, which must react and/or insure itself. But what if the FBI breaks down the door of one of your pen testers and hurts (or worse) the pen tester, a colleague, or a family member because someone flagged the pen tester as a “hacker”? Who is then responsible for the damage? Again, these are all negotiating points, but you won`t know if you don`t ask. Penetration testing is the legal form of hacking.
In the United States, penetration testing is a form of ethical hacking with a contract between the ethical hacker and the customer. Indemnification – As a penetration testing service provider, the amount of compensation should be at the top of the priority list. What happens if your client organization provides you with an incorrect IP address? And with the wrong IP address, you`re hacking into someone other than your client`s system. Compensation may include damage caused by the other system, which must react and/or insure itself. According to the CFAA, the legal way to perform penetration testing is with the permission of the party being tested and with the intention of maintaining whitehat or ethical practices. Every decision you make has its own positive and unfavorable side. To protect you from the dangers of penetration testing, we`ve developed some of the legal issues that a company and a penetration testing service provider need to agree on before you start. It is important for the tester to know who owns the company or systems to work on and the infrastructure between the test systems and their targets that may be affected by penetration testing. The idea is to ensure; When I was a kid in the Bronx, a high school buddy got a job as a “security tester” at the Alexander department store on Fordham Road. His job was to shoplift.
This should see if security personnel were doing their job or sleeping at the counter. On his first day on the job, he managed to shoplift for several hours until he was caught at the end of the day. When he was arrested, he showed his ID card (temporary paper) to the security guards and was quickly beaten. He didn`t know if he had been beaten because the guards didn`t believe he was working for management at the time, or because he was. First, a penetration test or “pen test” is a method used to assess the security and/or vulnerabilities of a network. This test is usually done externally, with the tester trying to hack a network or computer. Intrusion into computers and networks is illegal under the Computer Fraud and Abuse Act (CFAA), and depending on your activities and other factors, other federal and state laws may be violated. HIPAA Evaluation Standard § 164.308(a)(8) specifically addresses the security, privacy, and electronic exchange of medical information. Penetration testing requirements allow for technical and non-technical assessments of White Hat hacking security when deemed appropriate and appropriate. Regardless of the assessment, healthcare providers must regularly test data security or face fines ranging from $100 to $50,000 per compromised case.
The tester is unknown to his client – so why should he have access to sensitive data? Okay, so you have a contract that explicitly allows penetration testing, and you`ve agreed that you won`t be liable for any damage you cause.