1. Legal & Compliance

In this module, you'll learn about the crucial legal and ethical aspects of penetration testing, including compliance requirements and the intricacies of drafting Rules of Engagement (RoE) and scoping documents. Understanding these foundational concepts is essential for any professional penetration tester to operate ethically and within legal boundaries.

1.1 Legal Frameworks and Compliance Considerations

Overview of the Cybersecurity Law and Regulations

Here are the most common laws and legal texts used around the world that will apply to your pentesting carreer. This is not an exhaustive list, depending on where on the world you are working, but those are the main you may encounter and should know about.

1. United States
   • Computer Fraud and Abuse Act (CFAA)
     This is the primary federal cybersecurity law in the U.S. It prohibits unauthorized access or exceeding authorized access to computers and networks. For penetration testers, it's crucial to have clear, written authorization to avoid violations under this law.
     
     
   • Electronic Communications Privacy Act (ECPA)
     This act includes provisions for the Wiretap Act and the Stored Communications Act, which prohibit the interception of electronic communications and unauthorized access to stored electronic communications, respectively.
     
     
2. European Union
   • General Data Protection Regulation (GDPR)
     Although primarily a privacy regulation, GDPR has significant implications for cybersecurity practices. It mandates that personal data be processed securely using appropriate technical and organizational measures. For pentesters, ensuring that their testing methods do not lead to data breaches is crucial under GDPR.
     
     
   • Network and Information Systems (NIS) Directive
     This directive requires operators of essential services and digital service providers in the EU to take appropriate security measures and report serious cyber incidents.
     
     
3. United Kingdom
   • Computer Misuse Act 1990
     Similar to the CFAA in the U.S., this act makes it illegal to access computer systems without permission, make unauthorized modifications to computer material, or impair the operation of a computer. Pentesters must operate within the confines of explicit permissions.
     
     
   • Data Protection Act 2018
     Aligns with the GDPR and controls how personal information is used by organizations, businesses, or the government.
     
     
4. Australia
   • Cybercrime Act 2001
     This act covers unauthorized access to, or modification of, data held in a computer, and unauthorized impairment of electronic communication to or from a computer.
     
     
   • Privacy Act 1988
     Requires organizations to protect personal information from misuse, interference, and loss, as well as unauthorized access, modification, or disclosure.
     
     
5. Canada
   • Personal Information Protection and Electronic Documents Act (PIPEDA)
     Governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.
     
     
   • Criminal Code of Canada
     Contains provisions against unauthorized use of computer systems and mischief in relation to data.
     
     
6. India
   • Information Technology Act, 2000
     Includes provisions related to cybersecurity, penalizing cyber crimes, and mandating reasonable security practices and procedures for sensitive personal data.

IT Security Frameworks & Standards

Same as for the laws and regulations, here are the most common standards and frameworks used by companies to certify their practices around cyber security. Those are the most absolute common ones that you should know about. We'll probalby develop dedicated modules to go deeper on those topics.

1. ISO/IEC 27001: Information Security Management
   This is an international standard that outlines best practices for an information security management system (ISMS). It's been developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and provides a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process.
   
   
2. NIST Cybersecurity Framework
   The National Institute of Standards and Technology (NIST) is a U.S. federal agency that develops technology, metrics, and standards to drive innovation and economic competitiveness.
   The NIST Cybersecurity Framework they developed is a set of voluntary guidelines, best practices, and standards designed to help organizations manage cybersecurity risks. It is structured around five core functions—Identify, Protect, Detect, Respond, and Recover—which provide a high-level, strategic view of the lifecycle of an organization's management of cybersecurity risk.
   
   
3. PCI DSS
   The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Compliance with PCI DSS is mandatory for payment card processors to minimize the risk of card data breaches and to protect cardholder data effectively.

Legal Risks and Mitigations

• Unauthorized access
  This occurs when penetration testers access systems, networks, or data without proper authorization or beyond the limits of what was agreed upon. Such actions can violate specific computer access laws like the Computer Fraud and Abuse Act (CFAA) in the United States, which makes it illegal to access a computer without authorization or in a way that exceeds authorized access. Penetration testers must have explicit, clearly defined permissions to avoid legal repercussions.
  
  
• Data breaches
  If during testing, sensitive information is accessed and subsequently leaked, lost, or stolen, it can result in a data breach. This not only exposes the tester to potential legal action under privacy laws such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) but also contractual liabilities if the breach violates terms agreed upon with clients.
  
  
• Intellectual property and client data protection
  During engagements, testers may encounter proprietary software or sensitive business information. Unauthorized use or disclosure of such intellectual property can lead to infringement claims. Testers must also ensure compliance with applicable data protection regulations like GDPR, HIPAA, etc., when handling personal or sensitive data.
  
  
• Explicit Authorization: Before beginning any test, penetration testers must ensure they have explicit, documented authorization detailing what systems can be accessed, the type of data that can be handled, and the actions permitted during the testing process. This should be regularly reviewed and updated as needed.
  
  
• Data Handling Protocols: Implement rigorous protocols for handling any data accessed during testing. This includes using encryption to protect data in transit and at rest, ensuring that only necessary data is accessed, and securely deleting any data from testers' systems post-engagement.

1.2 Rules of Engagement (RoE) and Scoping Documents

• Understanding the Importance of Rules of Engagement (RoE):
  

  The RoE in penetration testing is critical for ensuring that all activities are conducted ethically, legally, and within the agreed boundaries. It essentially serves as a contractual framework that outlines the specific conditions under which penetration tests are conducted, detailing what is permissible and what is off-limits. This clarity helps prevent misunderstandings between the penetration tester (you) and the client, reducing the risk of legal complications that could arise from unauthorized actions.

  It also helps in defining the scope of the assessment, including which networks, systems, or data can be tested, and the techniques and tools that may be used. It should address timing considerations, specifying when the tests will occur, especially if aiming to evaluate the impact on live environments during peak or off-peak hours. This is vital for minimizing any potential disruption to the client’s operations.

  RoE should include communication protocols, delineating how findings will be reported, to whom, and at what frequency. This ensures that sensitive information is handled securely and that any critical vulnerabilities are swiftly communicated and addressed. In addition, it should outline the expectations for data handling, ensuring that any data accessed during the test is treated according to compliance requirements, such as GDPR, HIPAA, etc., thus safeguarding personal and sensitive information.

  By establishing a clear and comprehensive RoE, both the penetration tester and the client have a mutual understanding of the test's limitations and expectations, fostering a trustful and professional relationship. This not only enhances the efficiency and effectiveness of the testing process but also reinforces adherence to ethical hacking principles.

• Key Components of the Rules of Engagement (RoE)

  1. Scope:

     • Systems and Networks: Clearly define which systems, networks, and data are included in the test. This might include specific IP ranges, domains, applications, and environments (production or test).
     • Testing Methods: Specify the types of tests to be conducted (e.g., black box, white box, grey box testing) and the methods or techniques that are permissible (such as social engineering, physical penetration, or wireless access).
       
       

  2. Authorization:

     • Legal Permissions: Document formal authorization from all relevant parties, ensuring that the penetration tester has explicit permission to perform the test.
     • Limits of Authorization: Clearly state any limitations or exclusions within the authorized testing scope to prevent overreach.
       
       

  3. Timeline:

     • Testing Schedule: Define when the testing will occur, including start and end dates and whether the tests will be conducted during business hours, after hours, or continuously.
     • Critical Milestones: Outline important dates throughout the testing phase, such as interim check-ins and review meetings.
       
       

  4. Communication Protocols:

     • Points of Contact: List primary and secondary contacts within the organization who will be involved or informed about the testing progress.
     • Reporting Procedures: Define how vulnerabilities and breaches will be reported, including the format and frequency of these reports.
       
       

  5. Tools and Techniques:

     • Approved Tools: Detail which tools and software are approved for use during testing to avoid any potential harm or unexpected effects on the systems.
     • Technique Restrictions: Some techniques might be too invasive or risky for certain environments and should be explicitly restricted or prohibited.
       
       

  6. Security and Data Handling:

     • Data Protection: Specify how data will be handled, stored, and destroyed after testing to comply with data protection laws and regulations.
     • Incident Handling: Outline the steps to be taken in the event of an accidental breach or data loss during testing.
       
       

  7. Compliance and Legal Requirements:

     • Regulatory Compliance: Ensure that all testing activities comply with relevant industry standards and legal requirements, such as PCI DSS, HIPAA, or GDPR.
     • Ethical Standards: Adhere to ethical guidelines that govern security testing to maintain professionalism and integrity.
       
       

  8. Exit Criteria:

     • Conclusion Protocols: Define what criteria will signify the conclusion of the test, including successful completion of objectives or the occurrence of a stopping condition (e.g., critical system impact).
     • Post-Engagement Process: Describe the process for a debriefing session to discuss findings, remediation strategies, and any follow-up actions.
       
       

• RoE Templates
  Here is an example provided by Sans.org: Pen Test Rules of Engagement Worksheet

Hope you enjoyed this module. Now let's start the more technical parts with the Module 2: Networking.

What international standard provides a framework for managing an organization's information security and outlines best practices for establishing, implementing, maintaining, and improving an information security management system (ISMS)?