What is mean by pen test
Penetration testing as the name suggests it penetrates into a computer system or network to test its security and check the risks, loopholes. It is a component of Computer Security Audit and a method to evaluate the security of a computer or system or network by launching simulated attacks. It is popularly known as pen test. The persons conducting or performing pen tests are called penetration testers for pen testers.
The pen tests or penetration testings are conducting in many ways. Basically, there are two types of pen test which are white box and black box. In simple language, there are internal and external pen tests, in an internal pen test the pen testers have some internal knowledge, authorization given by owners to conduct pen testing and are conducted inside an organization while the external pen tests are conducted from outside the organization like from an attacker perspective.
However, while performing penetration test it is very important to seek permission from the company involving and which may include third parties in case the company has outsourced or managed services as part of its IT infrastructure.
It is necessarily important for the pen testing person to have a clear understanding about the owner of the systems they are targeting and infrastructure between the testing systems and the targets which might be affected by testing. The global nature of information technology infrastructure, cloud computing, its outsourcing and managing services combined with new legislations have added complexity to penetration testing in the recent times.
Permissions for penetration testing
It is an essential prerequisite to obtain written permission while starting a penetration test. This is also important in case of an internal pen test conducted by internal staff since the test may affect the performance of systems and issues relating to confidentiality, integrity may arise. Owner of the system or the decision maker should agree to put the scope of such tests in writing. Clarifications may be provided in detail in case of any doubts arising during the test. Despite the written permission document of a tester is their get out of jail free card enabling them to get themselves out in an undesirable situation, yet it is not above law.
In some cases, it is not clear as to who is the owner of the systems and infrastructure. In such cases, it is advised to get a clarification regarding the same. Sometimes, there might be additional infrastructures systems so it is also recommended to get permission from owners of such systems and infrastructure to see that the pen tests do not impact them directly or indirectly. It is also needed to confirm the individual systems with the client to confirm that they know who is the system owner and if they are within the agreed scope of permission needed to for the test.
While performing external penetration tests across the Internet, it is important to notify relevant net service providers i.e. ISP (companies & customers). This is essential for various legal, technical and other informational reasons.
The Infrastructure is affected by the pen tests due to many reasons. There is also a possibility that legal implications might crop up wherein the third party would issue a legal notice or file a legal suit in a court etc.
Legal aspects on penetration test
It is almost important to have a clear legal awareness, in addition to permission and technical issues. With the growing trend in global markets, the outsourcing, cloud computing are most important structures and technologies which are considered by business houses, corporate, multi-national companies. The legal aspects relating to these areas may involve the laws of more than one country due to their global nature.
A famous legal saying “Ignorance of Law is no excuse” has to be primarily considered in handling of legal framework pertaining to such technologies. So it is needed to have a brief overview of relevant laws of various countries. The enforcement of laws varies in each country. In some countries despite no specific computer laws, the computer crimes may also be dealt using existing laws.
The data protection laws impose certain mandates in handling with confidential information. So, compliance with these legal standards is a must which could otherwise attract legal penalties and sanctions. The legal agreements like non disclosure agreements and other confidentiality agreements need to be executed between pen tester and company going for penetration test.
These agreements can act as act as protection to company. Compliance with laws, regulations concerning issues of data protection, privacy and confidentiality can also enable legal shield to the pen testes in cases of disputes or litigations.
Penetration testing and Hacking
The permission is another crucial aspect that needs to be considered. The pen tester must always have the written permission for conducting pen test from the company or the owner of systems, networks. The penetration test conducted without permission may also amount to hacking since it includes no authorization from owners of computer system or networks.
Things to be considered
- The permission to perform pent test should be obtained
- The permission or authorization should be in writing
- Awareness of the laws relating to pen testing
- Knowledge of specific laws where systems might be accessed as a part of test
- Signing of Non Disclosure and confidentiality agreements with the company for who penetration test is conducted.
- Compliance with data protection, privacy laws and other mandatory regulations.
FINAL YR MS IN CYBER LAW AND SECURITY,
NATIONAL LAW UNIVERSITY, JODHPUR