As you might imagine, the role of a Penetration Tester is fraught with legal concerns. Primarily though, what it boils down to is whether or not you have permission from the owner of the computer system or website you are probing and have obtained their consent (written consent is the norm in the business). It is also very important that you and your client have agreed the scope of your probe. Basically, everything you do for a company when performing your role as a penetration tester needs to have specific consent for. A Statement of Intent is drawn up and signed by both parties prior to any work is commenced that clearly outlines the scope of the job and what you may and may not do while performing vulnerability tests. It is important to know who owns the systems you are being requested to work on, and the infrastructure between testing systems and their targets that may potentially be affected by testing.

It is very important to get permission in writing. This is very important even in an internal penetration test, performed by internal staff, because testing may affect system performance, and raise confidentiality and integrity issues. Regulations change from country to country, so make yourself aware of the laws that affect you. You know what they say, better safe than sorry. One thing that is universal however, and that is that your probing cannot affect any third parties.

If the penetration testing work you are doing is via the internet, it is a good idea to notify the relevant ISPs, mainly your customers and your own. This can be important for different reasons like legal, informational and technical reasons. Also, intervening infrastructure may be adversely affected by penetration tests, such as vulnerability assessment tools, ports and scanners.

Most companies will have no idea what a penetration tester would need to do to successfully complete their job, so it is important that the pentester outline what they will need to do in order to get the requested result, which is usually a confirmation that the security is unbreakable or a list of measures the company should enact to further tighten their system. If you are planning to run your own small business it is important that you hire an attorney to draw up a proper Statement of Intent so you can protect yourself to the fullest extent of the law. In doing so you will also better understand what you can or cannot do, as the attorney can clarify these matters for you.

There are federal laws that govern penetration testers in the USA and some states have their own additions. It is said that the USA have some of the most complex cyber laws in the world. A quick summary of the US Federal laws a penetration tester should be aware of are:

  • Title 18 of the Criminal Code, Sections 1029 prohibiting fraud in relation to access devices, account numbers, passwords, credit cards etc.
  • Section 1030 prohibits unauthorized computer access for government, financial and commerce systems.
  • Section 1362 prohibits injury or destruction of communications equipment.
  • Section 2510 prohibits unauthorized interception of traffic There are also clauses to enable service providers to monitor, and procedures for law enforcement to gain access.
  • Section 2701 prohibits access to stored information without permission of owner.
  • Cyber Security Enhancement Act (2002) covers attacks which recklessly causes or attempts to cause death and has severe penalties including life in prison!

So basically what it comes down to is making sure you have permission, in writing, with clearly defined parameters, letting everyone know (ahead of time!) who has a need to, reporting everything you find and not leaving holes open for yourself or someone else to exploit in the future. All in all, just be thorough.


Michael Mulcreevy

Michael Mulcreevy is a writer and researcher and studied sustainability. He has special interests in technological advancements in the computer age and writes on all things current and future based such as systems for community resilience.

Related Articles

Leave a comment

Back to Top