First of all, a penetration test or “pen test” is a method that’s used to evaluate the security and/or vulnerabilities in a network. This test is normally conducted externally wherein the tester is attempting to hack a network or computer. Breaking into computers and networks is illegal under the Computer Fraud and Abuse Act (CFAA), and depending on your activities and other factors, other federal laws and state laws may be broken.
Simply incorporating the “get out of jail free” card into your contract or agreement is probably not enough. If all goes well and your client likes you and thinks you have done a good job, then all is well. If not, accusations could fly — especially if the IT department or IT company supporting the client feels threatened (a situation I find more common than not). Ninety percent of the time, when I am introduced to a company who may need my assistance in conducting a risk assessment, I am typically sent to the IT department or individual. Some of the IT people I speak with are great, do a great job and are, let’s say, receptive. Most though are not. They are apprehensive, defensive and basically attempt to convey that all is good, the network is secure and no one could ever get in. Maybe it’s me; but in light of the very large and high profile companies and organizations getting breached every week, and the sheer number of breaches, this is a pretty bold and ignorant attitude.
So, as the person who is going to execute a pen test to prove the IT department, the IT person or the IT company wrong — you must be aware of the potential legal issues and how to protect yourself. Not convinced; one pen tester ended up with criminal charges being mounted against him for child porn. After he conducted his test, child porn was found on one of the company computers. When all employees denied it, the pen tester was arrested. He was cleared after spending thousands of dollars in legal bills to defend himself.
Below is a list of some must dos, pen testing agreement tips or contract suggestions. This list is just a start and is not all-inclusive. Hopefully it will generate some thought and more questions. If more questions do arise, ask an attorney — one with knowledge and understanding of this area, for answers and to review your contract or agreement:
- Scope of Work
First and foremost, you must have a clear and concise “scope of work,” which should include the IP address range, which parts of the network the client owns and which were outsourced. In the “scope of work,” you must explain to your client exactly what actions you plan to take and which network(s), computers, servers, etc., you plan to attack. For this reason, it is imperative that you know the IP address range of the network you are going to test. The last thing you want is to attack someone else’s network and be accused of hacking.
- The “get out of jail free” card/statement
This is imperative. Not to knock the IT department, but if you are going to attack a company you better have the permission of the leadership of that company. You should also have continuous access to someone in the organization with authority. If something goes wrong, this is the person who should be contacted first. The goal is not to “get out of jail free,” but to never go to jail in the first place. You will most likely be working with the IT department, but, when all goes bad — it is the leadership who should be making the decisions and who understands what you were doing and why. Additionally, you may be revealing vulnerabilities the IT department should have caught and/or prevented.
- Clean system
Ensure you use a clean version of your system and tools (e.g., no malware, viruses, child porn, etc.) and beware of any copyright issues upfront. Because of the child porn incident mentioned above, make sure your tools and systems are clean and you can prove it. Equally, depending on the software the client uses, ensure they have the proper licenses and that there are no proprietary data issues. This becomes more of a concern when working with companies that outsource or lease some or all of their network and software.
- Contract issues
Be very deliberate about what you put in the contract/agreement. For instance, include language that announces you are not responsible for illegal data found on the client’s network/computers. This will not necessarily protect you if unlawful data is found and you are accused, but it will alert the client to the potential and help you to manage expectations as well as minimize any shock if you do find something. State explicitly that you make no guarantees about the security or state of the network, and are not responsible for any inadvertent anomalies that occur, such as the network crashing or lost data. Ensure that the client understands that you cannot make any guarantees or warranties, that you cannot guarantee all vulnerabilities will be found and, once the test/scan is complete you cannot guarantee any level of security.
The above are just a few of the issues to consider when pen testing. Many more exist, many of which you will learn or come across with each client. As stated above, your statement of work and contract with the “get out of jail free” card, are key.