Companies seeking a security audit that includes a penetration test and those responsible for conducting the test need to be aware of the legal minefield they are about to enter.
Penetration (pen) testing is a valuable way to determine how resistant an organization's digital infrastructure is to outsider attack. What better way to check a network's security than giving scary-smart individuals permission to hack it.
The authors of this SANS Institute paper about pen testing — Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Siles, and Steve Mancini — make an interesting point, saying, "The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested."
What exactly does permission mean?
Employing an outside party to attack an organization's network while the organization continues normal operation is the only realistic way to test. However, it introduces certain challenges. Enough that Michael R. Overly, a Partner and Intellectual Property Lawyer with Foley and Lardner LLP, urges caution when negotiating the contract for a security audit involving pen testing.
If you are wondering what a lawyer knows about pen testing, Overly is not your normal attorney. He has a slew of security certifications including CISA, CIPP, CISSP, ISSMP, and CRISC, has written about information security, and is recognized by peers for his information-security mettle.
Considerations for organizations requesting a pen test
Here are the precautions and considerations Overly suggests in this National Law Review post for companies seeking a security audit.
The organization requesting a security audit should consider having the auditor represented by legal counsel: Doing so will afford the organization an opportunity to protect the audit and its results with attorney-client privilege and under the attorney work product doctrine. Overly also suggests, "Ask to review the report in draft form to make any changes before it is placed in the final form."
Treat the audit agreement as a professional services engagement: Ensure the work is clearly detailed in a well-drafted statement of work and that all costs are identified. Overly warns, "Beware of 'scope creep': new services that are added as the project progresses. Allowing creep may add significant costs and may not be protected by stipulations in the contract."
Think carefully before permitting unannounced penetration tests: At least some coordination should be given to ensure the operation of critical systems is not disrupted during key operating hours or month-end processing.
Do not permit the audit agreement to create more risk than it is intended to resolve: This means ensuring the auditor assumes an appropriate level of responsibility. Overly offers the following reasons why this is important:
- Audit agreements normally do not include sufficient language regarding obligations of the pen tester concerning information security and confidentiality.
- The auditor will have access to sensitive data and details of how the organization secures its systems. That means strong security and confidentiality obligations, plus a level of liability that ensures the pen tester will comply with those obligations.
Overly further cautions, "Beware of auditors who are unwilling to provide reasonable protection for sensitive information."
Review language in the agreement permitting the auditor to remove data for off-site review: If such activity is permitted, the agreement should make clear the following:
- The data cannot be made available outside the country (unless specific controls are employed).
- The auditor cannot remove personally-identifiable data that may be subject to specific laws or regulations without first committing to be bound by those laws and regulations.
- The auditor cannot take possession of credit-card information unless there is an express need for possession, and the auditing company and or pen tester are fully compliant with the Payment Card Industry Data Security Standard.
Overly advises, "It is far better, however, to prohibit the pen tester from removing such data in the first place, given its sensitivity."
Considerations for security auditors
Mark Rasch, in his SecurityCurrent column Legal Issues in Penetration Testing, looks at the implications a security auditor faces when performing a penetration test.
First up, is recognizing that computer crime laws such as 18 USC 1030 come into play. Rasch writes, "18 USC 1030 makes it a crime to access or attempt to access a computer or computer network without authorization or in excess of authorization. What constitutes 'authorization' and who can authorize such access can quickly get muddy."
"So the lesson learned here is that penetration testing, even when authorized, can result in a host of legal trouble," continues Rash. "The pen tester should obtain a 'get out of jail free' card from the customer, specifically indicating not only that the pen testing is authorized, but also indicating that the customer has the legal authority to authorize the pen test."
Rash offers the following suggestions of what else should be in the contract:
- Indicate what the auditor will do (and will not do) and the range of IP addresses, subnets, computers, networks, or devices that will be the subject of the pen test.
- If a software review is being asked for, ensure the copyright to the software permits reverse engineering or code review.
- If a pen tester is to test a network in the cloud, permission must be obtained from the cloud provider.
Rash spent considerable energy speaking to the likelihood of auditors bumping into sensitive data. "A successful pen test can result in the pen tester getting into a computer or computer network that they should not have had the ability to access," he writes. "Also, it may include accessing data or databases that contain sensitive personal information, credit-card information, personally identifiable information (PII) or Private Health Information (PHI)."
Next, Rash introduces the following must ask questions when sensitive data is involved:
- Is the access to the information by the pen tester a "breach" of the database which must be reported?
- Must the pen tester sign a "Business Associate Agreement" agreeing to protect the data they just accessed?
During an email conversation, Overly brought up a not often thought about consequence regarding sensitive data. "The party conducting the test will gain highly sensitive information regarding the other party's security measures," he writes. "If that information were to be revealed to third parties, it could permit a hacker to compromise the tested systems."
Like most things, the actual work almost seems easier than all the paperwork and planning that must happen before a penetration test even begins. However, a well-worn cliche seems to apply here: "Better to be safe than sorry."