| I l@ve RuBoard | |
Penetration testing could have very serious ramifications if not performed properly. Normally, companies continue to conduct business while the testing is being performed. This increases the impact to the company if a system goes down or is unintentionally rendered useless. For these clients, these systems should be considered “critical” and addressed with due care. The company's management is faced with maintaining a balance between making sure the testing is complete and ensuring they are still able to do business so that revenue is not lost.
Further, the machines and systems being tested are very expensive. Considering the cost of configuration and ongoing maintenance and taking into account the data and other electronic assets (such as client databases, proprietary code, documentation, and other often irreplaceable intellectual property) on these machines, the overall cost (or value) of these systems can be tremendous.
In light of this, the potential legal consequences can be quite serious as well. A request from a company employee to perform a penetration test is not necessarily a valid request. If that person does not have the authority to request such actions and indemnify you if anything goes wrong, you may incur fees related to court costs in addition to loss of fees for services. Therefore, legal agreements must be reached before the testing begins, and the tester needs to make sure he or she has a signed “Get Out of Jail Free Card” from a company officer authorized to enter the organization into a legally binding agreement. The “Get Out of Jail Free Card” generally entails a legal agreement signed by an authorized representative of the organization outlining the types of activities to be performed and indemnifying the tester against any loss or damages that may result from the testing.
During the initial discovery phase of a penetration test, identify the owners of the hardware and software affected by the test. Both need to agree to the test before it begins. Often, and this is especially true for the e-commerce initiatives of Internet startup firms, the machines that support networking capabilities are leased from an Internet/application services provider. Also, firms may have their ISP configure the router that leads to their network in some way to help them filter traffic coming into their network. When this is the case, clients can also ask the consultant to test the ISP's settings and service claims by performing various tests on the ISP's router and systems, including denial-of-service tests. In such cases, you will need to get permission from the ISP as well as your client due to the involvement of the ISP's assets. If you plan on placing any significant load on the ISP's hardware, plan the activities in advance to coordinate with the ISP.
Legal requirements are still being developed since the Internet and cyber crime are a relatively young area. Additionally, since there are no geographical boundaries on the Internet, it is difficult to identify a valid jurisdiction.
| I l@ve RuBoard | |