2.5 - Legal and Ethical Compliance

 2.5 - Legal and ethical compliance 

 

Key Terms 

    • Wassenaar arrangementAn agreement between 41 countries to accept similar export controls on weapons, including intrusion software. 
    • Bring your own device (BYOD) - Policies that govern an organisation’s rules on support of employee-owned devices. 
    • Scope of work - This defines exactly what a project will consist of and entail. It is also known as a statement of work. 
    • Rules of engagement – The amount of testing that the ethical hacker is allowed to execute on a system. It defines how the penetration test will be carried out. 
    • Master service agreement - A contract where all parties included agree to the terms that will govern future actions. 
    • Non-disclosure agreement – A legal contract that outlines confidential material that will be shared during a security assessment and the restrictions on that information. 
    • Permission to test – A document that explains what the tester should be doing and that their work is authorised. Sometimes this is referred to as the ‘Get out of Jail Free Card’. 

 

Laws 

One of the main problems testers face is the legislation difference between nations and states. In a situation where the test is being conducted in a different legal area, the client and hacker must agree on which laws should be followed. Usually, a lawyer is consulted in this process. Most penetration testing laws state that the tester must only conduct tests that have been approved by the client. To define this, the scope of work document must contain all devices and networks that the client approves to be tested. Ethical hackers can be prosecuted for unlawful activity however, with this document, the tester is protected from charges if all information suffices their activity. 

 

Cloud Systems 

Cloud systems require extra steps before a test is approved. The main issue is that the client does not own these systems. In these cases, the cloud provider must also authorise a penetration test before starting and approve the scope of work document. 

 

3rd Parties 

3rd parties can’t be tested during a penetration test. For example, a 3rd party company may be scanned accidentally through a supply chain. This would hold the tester liable for breaking the scope of work. The hacker must be extra careful when dealing around 3rd parties as not to disturb their own networks and systems. 

 

Affected Vulnerabilities 

Sometimes a test can reveal a vulnerability that also affects another party’s system. In this case, a report to the other party will need to be authorised by the client before it is made. 

 

Wassenaar Arrangement 

This is an agreement made between 41 countries to control the exports of weapons, including intrusion software. Sometimes, software is banned or only available whilst being strictly licensed. Some software includes: 

    • Hashcat 
    • NMAP 
    • BURPSUITE 

In 2018 this arrangement was updated to clarify some policies that benefit penetration testers involved in international testing. 

 

Sensitive Information 

During a penetration test, an ethical hacker may gain access to sensitive information. In a situation like this, the hacker should keep all information confidential and only view what is necessary for reporting purposes. The data should not be taken off-site for analysis unless the client approves it. However, HIPAA regulations state that no patient information should be viewed so, the ethical hacker must be careful not to open any documents relating to this information. 

 

Reporting 

All information gathered from a penetration test should only be shared with the client in question and other hackers working on the same project. No 3rd parties must be informed about vulnerabilities. However, if an ethical hacker finds any evidence of illegal activity from the client such as tax evasion, they are legally obligated to inform the appropriate authorities. If an employee is found doing illegal activities on the client’s network/system, the client should be informed immediately. 

 

Password Policy 

This usually consists of how many characters and other rules that a password must abide by. It can also state when the password can be changed. 

 

Update Policy 

Update policy includes the update schedule of systems and how they affect business operations. 

 

Data Handling 

Data handling policies must be in place to prevent data leaks from companies. They should include who has access to the data, how it is secured, and a plan if unauthorised access in obtained. Only authorised employees who need customer data should have relevant access to it. Data should be somewhat encrypted to make sure only authorised employees have access to it. A breach plan should include discovering how the breach occurred, how severe the breach is, informing relevant clients of the breach and mitigating the risk for future breaches. 

 

BYOD 

Personal devices must be governed by a policy. The BYOD policy outlines how much access the person has to the system and what happens when an employee is terminated. When an employee leaves a company, they must accept that the company has every right to wipe company data from a personal device. 

 

Employee Privacy 

Most companies that use devices monitor employee activity. This is defined in the computer usage policy. 

 

Policy Review and Testing 

When defining the penetration test, corporate policy must be considered. The client and tester will agree on which policies will be followed during the test. 

 

Engagement Contracts 

    • Scope of worka very detailed document outlining what the test will consist of. This document defines the who, what, when where and why factors of a penetration test. It should also contain payment methods and option. This includes additional work the tester is to complete. After this document is finalised, lawyers should check over the agreement before signing the contract. 
    • Rules of engagement – this defines how the test will be carried out. It identifies the type of test, sensitive data handling and IT team notification. 
    • Master service agreement – a contract where parties agree on policies that will govern future actions. 
    • Non-disclosure agreement – this outlines the handling of confidential information and restrictions on testing limits. 
    • Permission to test – a written agreement from the client permitting the execution of a penetration test following the scope of work. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more