An introduction to penetration testing and its legal implications for VARs and consultants

This is the first article in a six-part tutorial for consultants and value-added resellers (VARs) about penetration testing. Over the course of the six articles we look at several

    Requires Free Membership to View

elements of penetration testing, including the test phases, tools and techniques, types of wireless testing and what bugs to look for. In this first article, I give an overview of penetration testing, discuss some legal and ethical implications, and give some pointers on what potential customers look for in a penetration tester.

Penetration testing is a security testing methodology that should be one element of a total security testing strategy that you offer customers. Whether large or small, every business needs to know what their "security posture" is, how secure their network is, and how this posture relates to other companies in the same market space.

A complete security snapshot includes:

  • Level I, High-level assessment: A top-down look at the organization's policies, procedures, standards and guidelines. A Level I assessment is not usually hands-on, in that the system's security is not actually tested.
  • Level II, Network evaluation: More hands-on than a Level I assessment, a Level II assessment has some of the Level 1 activities with more information gathering and scanning.
  • Level III, Penetration test: A penetration test is not concerned with policies. It's more about taking the adversarial view of a hacker, by seeing what can be accomplished and with what difficulty.

The reason to penetration test is the same as the reason a business has a security policy: to leverage due diligence and due care data protection for the preservation of the company's capital investment.

Several factors have converged in the marketplace to make penetration testing a necessity. The evolution of information technology has focused on ease of use at the operational end, while exponentially increasing the complexity of the computer. Unfortunately, the administration and management requirements of these systems have increased because:

  • The skill level required to execute a hacker exploit has steadily decreased.
  • The size and complexity of the network environment has mushroomed.
  • The number of network and Web-based applications has increased.
  • The detrimental impact of a security breach on corporate assets and goodwill is greater than ever.

All of these factors are good selling points when presenting a pen testing project to your customer.

Penetration testing is most commonly carried out within a "black-box" approach; that is, with no prior knowledge of the infrastructure to be tested. At it simplest level, the penetration test process involves three phases:

  • Preparation phase - A formal contract is executed containing non-disclosure of the client's data and legal protection for the tester. At a minimum, it also lists the IP addresses to be tested and time to test.
  • Execution phase - In this phase the penetration test is executed, with the tester looking for potential vulnerabilities.
  • Delivery phase - The results of the evaluation are communicated to the pre-defined organizational contact, and corrective action is advised.

Legal and ethical implications of penetration testing

Attacking a network from the outside carries ethical and legal risk to you, the tester, and remedies and protections must be spelled out in detail before the test is carried out. For example, the Cyber Security Enhancement Act 2002 implicates life sentences for hackers who 'recklessly' endanger the lives of others, and several U.S. statutes address cyber crime.

Statute 1030, Fraud and Related Activity in Connection with Computers, specifically states that whoever

Penetration testing tutorial
Read more tips in our Penetration testing tutorial by SearchSecurityChannel expert Russell Dean Vines and learn how ethical hackers can sell their services, protect themselves from legal risk and conduct a penetration test of their customers' networks.

intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years. Therefore, it's vital that you receive specific written permission to conduct the test from the most senior executive.

While written permission to conduct a pen test helps protect you from risks, your customer also requires protection measures. You must be able to guarantee discretion and non-disclosure of sensitive company information by demonstrating a commitment to the preservation of the company's confidentiality. The designation of red and green data classifications must be discussed before the engagement, to help prevent sensitive data from being re-distributed, deleted, copied, modified or destroyed.

The credibility of your firm as to its ability to conduct the testing without interruption of the customer's business or production is also of paramount concern. You must employ knowledgeable engineers who know how to use minimal bandwidth tools to minimize the test's impact on network traffic.

The ethicality of your company and testers is very important, also. Many customers insist that the testing firm not engage any "black-hat" testers (that is, testers who have criminal convictions) and that the testing firm conducts background checks on anyone who will participate in the engagement.

In the next installment of our Penetration testing tutorial, we look at the pre-test phases of penetration testing, including footprinting.

About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is
The CISSP and CAP Prep Guide, published by John S. Wiley and Sons. As an expert for SearchSecurityChannel.com, Russell welcomes your questions on pen testing and information security threats.

This was first published in July 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.