Penetration testing

Penetration testing and the law

Chris St-Jean
January 5, 2017 by
Chris St-Jean

As one might expect, there are a wealth of legal issues that are associated with information security. Whether it's a matter of preventing security breaches in order to maintain the security of your client information (or that of your organization), or simply realizing exactly how far one's obligations go when it comes to information security, it's important to realize exactly what your obligations are as far as the legal world goes with information security.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

What is allowed?

Because technology is ever-changing, there are always questions about what the legal protections might be when it comes to the misuse of new technology, or even what sort of jurisdiction might govern your organization or its clients. One of the biggest problems with computer crime is that laws still aren't clear as to who polices what online, if anything. As a result, companies must protect themselves against an attack on their internal servers and other information that might be at risk.

One of the biggest issues that organizations will face as far as maintaining your information security goes is that technology is developing so quickly that it is hard for the legal system to keep up. Even if you have taken the time to amass evidence against those who may have breached your information security system, there are no guarantees that this evidence will even be admissible in a court of law. As a result of the Patriot Act in the United States, however, laws can be passed without much delay in the process; this can go a long way towards helping organizations continue to ensure the safety and security of their organizations.

Another problem is that personnel may not always be as up on the latest technology as the leadership in any given organization may want. This can lead to faltering due care and diligence, although individuals may give their best efforts towards ensuring that due care and diligence is strictly maintained. The problem is if your organization does not have individuals that are well trained on the technology that you have, even your best efforts towards maintaining information security may falter or even fail.

Laws pentesters need to know

While technology is very definitely a consideration, those you use for pentesting in your organization need to be up on the latest legal considerations before entering into any pen testing process. One consideration that pen testers should be aware of is the laws surrounding the practice of port scanning. These vary from state to state, and while Scott Moulton, a man who held the contract for maintaining the Cherokee County, Georgia Emergency 911 system, was arrested for allegedly violating the Computer Fraud and Abuse Act of America Section 1030(a)(5)(B), the case was dismissed for being without merit. In this case, Moulton was doing a port scan of those networks involved with the Cherokee County Emergency 911 system and inadvertently scanned the port involved with a rival firm, VC3. Moulton sued VC3 for defamation, and VC3 then countersued for violation of the Computer Fraud and Abuse Act as well as the Georgia Computer Systems Protection Act.

While both the civil and criminal cases were dismissed handily, Moulton ended up going through the incredible expense to defend himself, to the tune of six-figure legal bills. As might be expected, Moulton also went through incredible stress and frustration with the time it took to settle both cases in his favor.

Other nations, though, have stringent laws that can really infringe upon a pen tester's ability to be effective. The United Kingdom, for instance, has recently amended the Computer Misuse Act to state that it is illegal to "supply or offer to supply [a program], believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act violation]."

The biggest challenge here is that there are some security tools that are based on user intent, which means there are inherent challenges to proving that people are breaking this particular law. One of the biggest challenges would be whether the user of the security tool is being ethical in his or her approach or is implementing a black hat attack, and these things can only be discovered merely by guesswork or evidence, neither of which might be entirely accurate.

How to gain protection

In addition to indicating exactly what a pen tester will and will not do, the range of IP addresses, subnets, computers, networks or devices subjected to the pen test should also be discussed. If software review and decompiling are to be included, the copyright to the software should be examined to ensure that the copyright does permit and not prohibit the reverse engineering or code review of associated software. The pen-tester needs to get paperwork from those authorizing the pen test that specifically OKs the pen test and that the customer authorizing the pen test has the authority to do so.

Cloud customers cannot just blindly authorize a test of their network through the cloud, either. The cloud provider must also authorize the pen test and ensure that the pen test is solely restricted to the area of the network that the cloud customer requested. If that does not occur, the cloud provider could go after the pen tester for unauthorized access.


You need to consider exactly how tightly your pen test will need to scan the systems that you are authorized to scan. Also, ensure you have permission to conduct the scan with a legitimate reason to do so; it is far easier to ask permission in this case than to beg forgiveness.

Additionally, you have to be careful about your work-related or school-related connections, as you do not want to infringe on any networks inadvertently that aren't connected with the scan you are supposed to be conducting. You do not want to get into trouble for hacking when you are conducting a test for legitimate reasons.

The Computer Security Institute came up with its own Ten Commandments when it came to information security – a "Dos and Don'ts" list, if you will – and it is of particular note due to the fact of its implications as far as information security is concerned. The Commandments state:

  1. Thou shalt not use a computer to harm other people.
  2. Thou shalt not interfere with other people's computer work.
  3. Thou shalt not snoop around in other people's computer files.
  4. Thou shalt not use a computer to steal.
  5. Thou shalt not use a computer to bear false witness.
  6. Thou shalt not copy or use proprietary software for which you have not paid.
  7. Thou shalt not use other people's computer resources without authorization or proper compensation.
  8. Thou shalt not appropriate other people's intellectual output.
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.

The reason why this list is particularly interesting is it covers all the bases of what organizations need to consider as far as information security is concerned. There are no complicated policies or rules – it simply states what is and is not acceptable as far as information security is concerned.


When it comes to information security, it becomes clear that the laws governing this realm continue to develop at a rapid-fire pace. Rules about what organizations need to do to maintain clear security practices and how they should do that are ever-evolving, and they should be; as technology continues to develop, so should your organization's policies and procedures as far as the maintenance of your information security goes.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Chris St-Jean
Chris St-Jean

Chris St-Jean is a teacher and freelance writer who spends her time exploring new ideas and studying karate as she pursues her second degree black belt. When she isn’t working, she spends a lot of her days chasing around after her two girls.