X
Število kibernetskih napadov se je v zadnjem letu podvojilo. Vas zanima, kako se jim lahko izognete? Postanite del naše skupnosti.
In the last year, the number of cyberattacks doubled compared to the year before. Do you want to repel potential threats? Join our community.
  • Skip to primary navigation
  • Skip to main content
  • Skip to footer
Carbonsec – Cybersecurity Consultancy Services Company

Carbonsec - Cybersecurity Consultancy Services Company

Cybersecurity services for businesses to be hackerproof, because it sucks to waste unnecessary time dealing with cyber criminals instead of focusing on business.

  • Services
    • Password security test
    • Penetration test
    • Red Teaming
    • DDoS test
    • ICS Security
    • Cybersecurity Consulting
    • Secure Static Code Review
  • Solutions
    • Pentera Automated Penetration Testing Solution
    • SecurityScorecard Risk Rating and Supply Chain Security
    • Simulated phishing attacks
    • Free Tools
    • Breach and Attack Simulation (BAS)
  • Training
    • Security Awareness Training
    • Security for Developers
    • Purple Team Coaching
  • News
    • News
    • Blog
  • Resources
  • Company
    • About Us
    • Core Team
    • Careers
    • Partners
  • Contact
  • Email
  • Facebook
  • LinkedIn

The Legal Aspects of Ethical Hacking – Where Are the Limits?

What are the current legal aspects of penetration testing in Slovenia and what can we expect in the future?

27. October, 2021 by Carbonsec Team

The legal aspects of ethical hacking are an important element of any contract for penetration tests or security checks of IT systems. A carefully regulated relationship between the client and the contractor is a basis for a confidential relationship. Confidentiality and trust are crucial in conducting tests that interfere with business information systems.

When brought up in a debate, the field of cyber security is always a slippery slope. Even on a private level, we are not eager to disclose we were a victim of a phishing attack or that somebody hacked our Facebook account. However, it is even worse if an intrusion, data theft or ransomware attack happens in a business environment.

A breach into account is a very stressful experience.

Which legal aspects of ethical hacking are already well defined and implemented in Slovenia? And where is still room for improvement? These were the main discussion topics at a round table held at the Cyber Security Week beginning of October. The recording of the round table in Slovene is available on the website of the Digital Center of Slovenia. However, we have summarized the key points and conclusions in this blog post.

All legal aspects should be determined before the start of the project

The penetration test or security check starts long before the actual implementation. All steps of the project must be clearly defined, so the contractor can follow the project documentation without interruption. Furthermore, the ethical hackers do not have to wonder whether they are testing the right systems or not.

The first step of the project is the customer’s demand for the service. Immediately afterwards, we sign the first legal document: the Non-Disclosure Agreement (NDA). Why? Because we need confidential information to prepare a well-defined high quality offer. The exchange of such information must always be regulated by an appropriate contract. Before preparing an offer, we define the scope of the project, and determine exactly what our service will include. When we agree on these propositions, we prepare an offer.

Penetration testing projects require thorough initial preparation on the side of the client. For example, if cloud services are in the scope of the project, the client must check what is allowed to be tested on such an infrastructure and obtain the permissions of the service provider if necessary.

Companies often request an offer from several service providers. Therefore, it is a good idea to preliminarily review the references of potential contractors. Based on the obtained data, only those who have been identified as reliable partners are asked to prepare an offer.

Signing a contract

Once the client and the contractor have mutually agreed on the project, the Contract and the Declaration on data protection (GDPR) are signed. Prior to the start of the project, the parties also sign the so called Get-out-of-jail free that gives pentesters permission to carry out the tests. These two documents also define the actual pentesters. The penetration testing project is now ready for execution.

Every cybersecurity check or penetration test has a specific goal

One might think that a penetration test is simply free hacking all over the information system. But it is quite the opposite. Each penetration test and each safety screening are performed with a specific goal. We either check the security of the mobile app or a specific desktop app. We can test the security of server settings or the perimeter of the information system. Or we can test how susceptible employees are to social engineering.

“The scope set out in the source documents should not be exceeded in any way. While performing the service, we must also adhere to the methodology and procedures defined in the offer and contract, “said Grega Prešeren, our CTO and leading ethical hacker.

What if we detect something more?

When performing a penetration test, it often happens that we penetrate to the point specified in the contract, but the path opens up further. What should ethical hackers do in this case? As a rule of thumb, they should finish the inspection at this point and inform the client of the finding. If the client wants the penetration test to be carried out deeper than originally planned, an annex to the contract should be signed. The contractor should not test further without a pre-signed contractual agreement.

“It may also happen during the penetration test that the Contractor discovers a vulnerability in a third-party system that is connected to the Client’s system. In such a case, a dilemma arises as to whether to communicate this finding to the third party even though we do not have a contractual relationship with it,” Prešeren pointed out.

At this point, the ethics of the service provider comes to the fore. Ethical hackers must above all be ethical. Ethics, however, is more than just respecting the minimum requirements of the law. It is an attitude that reflect the personality of a cyber security service provider. And it is the foundation on which we build a trustful relationship with the customer.

The legal aspects of ethical hacking and personal data protection

Ethics in conducting penetration tests is often related to personal data obtained during the test. The handling of personal data during the penetration test must be defined by a contract between the client, who is the data administrator, and the contractor, who is the contractual data processor.

“The general regulation says that the contractual relationship must be regulated by a written agreement or contract. Article 28 of the GDPR regulation also clearly defines what such a contract must contain: duties, purpose, types of data if this can be foreseen, “said Andrej Tomšič from the Office of the Information Commissioner of the Republic of Slovenia.

Exclude personal data from reports

We must pay particular attention to the handling of personal data when drawing up and presenting reports on the service provided. When preparing reports, the Contractor is obliged to protect personal data stored in the Client’s systems. Personal information in reports should be blurred or deleted. Tomšič also emphasized that we must be aware that customer codes, employee ID numbers, etc. are also personal data, but pseudonymized. They are subject to the same rules as raw personal data. In reports, we should only operate with anonymised data, which cannot be linked to an individual in any way.

“The goal of the penetration test is to gain access to a specific folder, file, or application. But not the content that is stored there,” emphasized lawyer Janez Tekavc.

What about copyright?

We have mentioned before that nowadays it is possible to hack practically anything. Electronic devices as well as devices that we perhaps not even think about in the sense of electronics: ovens, aquariums, cars, even pacemakers.

Any unauthorized interference with the device is problematic in terms of copyright, warranty claims, and security.

Ethical hackers are faced with copyrights in the security analysis of source code. If the security review is in the scope of the project, the code can be tested and scanned, but it must not be processed, tampered with or kept in any way.

Source code is a copyright.

Who is responsible if something goes wrong in penetration testing?

If the legal aspects of ethical hacking are clearly defined before the project starts, this question never poses an issue. If the exact specifications of the systems to be tested are given by the client, and if the contractor follows the methodology, there is almost no cause for concern.

However, if the contractor detects that something in the IT system may go wrong when performing a particular test, it is their duty to inform the client before testing and to discuss the possible consequences in advance. In such a case, the test may be omitted. On the other hand, if the client accepts the risk, the test can still be performed.

Legal aspects of ethical hacking in the future

What can be improved in the field of cyber security tests in the future?

Mr Tekavc sees an opportunity in the audit trail: “Certainly, the quality of services would be raised if the audit trail of penetration testing and security screening were available. Thus, the client would have the opportunity to reconstruct the attack and gain insight into who actually carried out the attack. It could happen that a black-hat hacker knew about the planned testing and carry out an actual attack on the system in the same timeframe. “

The level of cyber security services could be leveraged by introducing mandatory security checks. Such an approach has been common practice in the accounting sector for years. A list of qualified contractors would be formed to help clients choose an appropriate contractor.

We may eventually reach such a level of cybersecurity culture that companies will implement a bug bounty system for discovering vulnerabilities. This means that companies “give hackers their head” and publicly say they can test their systems. Companies define the scope of testing as if they had concluded a contract with the client. Hackers are appropriately rewarded for discovering vulnerabilities. Such systems are already functional in several countries. This is a win-win situation: companies can improve their security posture and hackers can earn high amounts of money.

We cannot clearly predict the direction in which the cyber security testing in Slovenia will develop. However, we can certainly claim that our services are based on a solid legal basis and 10+ years of experience.

If you want to check how strong your organization’s cyber security posture is and are looking for a reliable partner, we would gladly play the role of your ethical hackers.

Contact us for more information and advice on improving your posture.

Blog,  Blog,  News,  News blog,  legal aspects,  penetration testing

Let’s work together

Get in touch with us and send some basic info about your project.

Get Quote

Footer

ABOUT

Cybersecurity services for businesses to be hackerproof, because it sucks to waste time dealing with cyber criminals instead of focusing on business.

  • Email
  • Facebook
  • LinkedIn

CONTACT

CARBONSEC Ltd.
Hacquetova ulica 8
1000 Ljubljana
Slovenia

info@carbonsec.com

QUICK LINKS

  • Join our community.
  • Blog
  • Terms & Conditions
  • Privacy Policy
  • Cookies

SERVICES

  • DDoS test
  • Penetration test
  • Red Teaming
  • ICS Security
  • Cybersecurity Consulting
  • Secure Static Code Review
  • Training

Copyright © 2023 Carbonsec · Created by mod.si

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT