IT Channel.com

An introduction to penetration testing and its legal implications for VARs and consultants

By Russell Dean Vines

This is the first article in a six-part tutorial for consultants and value-added resellers (VARs) about penetration testing. Over the course of the six articles we look at several elements of penetration testing, including the test phases, tools and techniques, types of wireless testing and what bugs to look for. In this first article, I give an overview of penetration testing, discuss some legal and ethical implications, and give some pointers on what potential customers look for in a penetration tester.

Penetration testing is a security testing methodology that should be one element of a total security testing strategy that you offer customers. Whether large or small, every business needs to know what their "security posture" is, how secure their network is, and how this posture relates to other companies in the same market space.

A complete security snapshot includes:

The reason to penetration test is the same as the reason a business has a security policy: to leverage due diligence and due care data protection for the preservation of the company's capital investment.

Several factors have converged in the marketplace to make penetration testing a necessity. The evolution of information technology has focused on ease of use at the operational end, while exponentially increasing the complexity of the computer. Unfortunately, the administration and management requirements of these systems have increased because:

All of these factors are good selling points when presenting a pen testing project to your customer.

Penetration testing is most commonly carried out within a "black-box" approach; that is, with no prior knowledge of the infrastructure to be tested. At it simplest level, the penetration test process involves three phases:

Legal and ethical implications of penetration testing

Attacking a network from the outside carries ethical and legal risk to you, the tester, and remedies and protections must be spelled out in detail before the test is carried out. For example, the Cyber Security Enhancement Act 2002 implicates life sentences for hackers who 'recklessly' endanger the lives of others, and several U.S. statutes address cyber crime.

Statute 1030, Fraud and Related Activity in Connection with Computers, specifically states that whoever

Penetration testing tutorial
Read more tips in our penetration testing tutorial by SearchSecurityChannel expert Russell Dean Vines and learn how ethical hackers can sell their services, protect themselves from legal risk and conduct a penetration test of their customers' networks.

intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years. Therefore, it's vital that you receive specific written permission to conduct the test from the most senior executive.

While written permission to conduct a pen test helps protect you from risks, your customer also requires protection measures. You must be able to guarantee discretion and non-disclosure of sensitive company information by demonstrating a commitment to the preservation of the company's confidentiality. The designation of red and green data classifications must be discussed before the engagement, to help prevent sensitive data from being re-distributed, deleted, copied, modified or destroyed.

The credibility of your firm as to its ability to conduct the testing without interruption of the customer's business or production is also of paramount concern. You must employ knowledgeable engineers who know how to use minimal bandwidth tools to minimize the test's impact on network traffic.

The ethicality of your company and testers is very important, also. Many customers insist that the testing firm not engage any "black-hat" testers (that is, testers who have criminal convictions) and that the testing firm conducts background checks on anyone who will participate in the engagement.

In the next installment of our penetration testing tutorial, we look at the pre-test phases of penetration testing, including footprinting.

About the author
Russell Dean Vines is a bestselling author, Chief Security Advisor for Gotham Technology Group, LLC, and former President of the RDV Group. His most recent book is
The CISSP and CAP Prep Guide, published by John S. Wiley and Sons. As an expert for SearchSecurityChannel.com, Russell welcomes your questions on pen testing and information security threats.


17 Jul 2007

All Rights Reserved, Copyright 2006 - 2024, TechTarget | Read our Privacy Statement