Support This Book
Appendices Chapter 4

Untitled

Appendix D: Legal Considerations

Overview

This appendix covers the legal framework surrounding network security testing, ethical guidelines, and compliance requirements.

Authorization is Everything

The Golden Rule

Never test systems without explicit written authorization.

The difference between a penetration tester and a criminal is often just a piece of paper.

What Constitutes Authorization

Valid Authorization Must Include:
□ Written permission (not just verbal)
□ Scope clearly defined
□ Systems explicitly listed
□ Testing timeframe specified
□ Contact information for emergencies
□ Signed by someone with authority
□ Rules of engagement documented

Sample Authorization Template

PENETRATION TESTING AUTHORIZATION

Date: _____________

This document authorizes [Tester Name/Company] to conduct 
security testing on the following systems:

Systems in Scope:
- IP Range: _______________
- Domain: _______________
- Specific Systems: _______________

Systems Out of Scope:
- Production database servers
- Third-party hosted services
- [Other exclusions]

Authorized Testing:
□ Network scanning
□ Vulnerability assessment
□ Exploitation (limited/full)
□ Social engineering (specify)
□ Physical testing

Testing Window:
Start: _______________
End: _______________

Emergency Contact: _______________

Authorizing Official:
Name: _______________
Title: _______________
Signature: _______________

Relevant Laws

United States

Computer Fraud and Abuse Act (CFAA)

Key Provisions:
- 18 U.S.C. § 1030
- Criminalizes "unauthorized access" to protected computers
- Penalties range from fines to 20+ years imprisonment
- Civil liability also possible

What Triggers CFAA:
- Accessing computer without authorization
- Exceeding authorized access
- Transmitting code causing damage
- Trafficking in passwords

Note: "Exceeding authorized access" is broadly interpreted

State Computer Crime Laws

  • Most states have their own computer crime statutes
  • Some are stricter than federal law
  • California Penal Code 502
  • Texas Penal Code Chapter 33

European Union

Computer Misuse Directive

  • EU-wide framework
  • Member states implement locally

GDPR Implications

  • Security testing involving personal data
  • Data breach notification requirements
  • Consent and legitimate interest considerations

United Kingdom

Computer Misuse Act 1990

  • Unauthorized access offenses
  • Intent to commit further offense
  • Unauthorized modification

Other Jurisdictions

CountryPrimary Law
AustraliaCriminal Code Act 1995
CanadaCriminal Code Section 342.1
GermanyStGB §202a-202c
JapanUnauthorized Computer Access Law

Professional Standards

(ISC)² Code of Ethics

Canons:
1. Protect society, the common good, necessary public trust and 
   confidence, and the infrastructure
2. Act honorably, honestly, justly, responsibly, and legally
3. Provide diligent and competent service to principals
4. Advance and protect the profession

EC-Council Code of Ethics

Key Points:
- Respect privacy and confidentiality
- Do not engage in illegal activities
- Develop skills through legitimate means
- Do not associate with unethical hackers
- Report discovered breaches responsibly

PTES (Penetration Testing Execution Standard)

  • Defines methodology
  • Emphasizes authorization
  • Documents scope and rules of engagement

Responsible Disclosure

The Disclosure Dilemma

Options:
1. Full Disclosure - Publish immediately
   Pros: Forces quick fixes
   Cons: Enables attackers
   
2. Non-Disclosure - Tell only vendor
   Pros: Vendor has time to fix
   Cons: May be ignored
   
3. Coordinated Disclosure - Balanced approach
   Pros: Best of both worlds
   Cons: Requires cooperation

Coordinated Disclosure Process

Timeline:
Day 0: Discover vulnerability
Day 1: Report to vendor
Day 1-90: Vendor develops patch
Day 90: Publish details

If vendor unresponsive:
- Send follow-up at 30 days
- Send final notice at 60 days
- Publish at 90 days regardless

If actively exploited:
- Shorter timeline appropriate
- Consider immediate disclosure

Bug Bounty Programs

Benefits:

  • Legal safe harbor
  • Defined rules of engagement
  • Financial incentive
  • Clear communication channel

Major Platforms:

  • HackerOne
  • Bugcrowd
  • Synack

Data Handling

During Testing

Rules for Test Data:
□ Encrypt all captured data
□ Limit collection to necessary scope
□ Don't exfiltrate production data
□ Handle credentials securely
□ Document what was accessed
□ Delete data after engagement

Evidence Preservation

If You Find Evidence of Breach:
1. Stop testing immediately
2. Document what you found
3. Notify client contact
4. Preserve evidence (don't modify)
5. Follow client's incident response
6. Consider legal notification requirements

International Considerations

Cross-Border Testing

Complications:
- Testing systems in other countries
- Data crossing borders
- Conflicting laws
- Extradition concerns

Best Practice:
- Confirm legal jurisdiction
- Get local legal advice
- Document authorization carefully
- Consider treaty implications

Cloud Environments

Questions to Answer:
- Where is data physically located?
- Which jurisdiction applies?
- What does cloud provider allow?
- Is authorization from cloud provider needed?

AWS/Azure/GCP:
- Have specific penetration testing policies
- May require notification
- Certain tests prohibited

Common Mistakes

What Gets People in Trouble

 Testing without written authorization
 Exceeding scope of authorization
 Testing third-party systems included in scope
 Keeping sensitive data after engagement
 Sharing findings without permission
 "I was just doing security research"
 Testing personal accounts on shared infrastructure

The “I Didn’t Mean To” Defense

This doesn't work because:
- CFAA doesn't require malicious intent for all provisions
- "I was trying to help" isn't a defense
- Good intentions don't negate unauthorized access
- Damage is damage regardless of intent

Before Every Engagement

Checklist:
□ Written authorization obtained
□ Scope clearly documented
□ Out-of-scope systems identified
□ Emergency contacts established
□ Rules of engagement agreed
□ Insurance coverage confirmed
□ NDA signed if required
□ Data handling procedures documented

During Testing

Best Practices:
□ Stay within authorized scope
□ Document everything
□ Communicate issues immediately
□ Don't access data beyond necessary
□ Respect the "spirit" of authorization
□ When in doubt, stop and ask

After Testing

Requirements:
□ Secure report delivery
□ Data destruction verification
□ Retesting if required
□ Findings protected appropriately
□ Lessons learned documented

Resources

  • EFF’s “Coders’ Rights Project”
  • SANS “Legal Issues in Penetration Testing”
  • OWASP Legal Project

This appendix provides general information only. Consult with a qualified attorney for legal advice specific to your situation and jurisdiction.