The legal aspects of ethical hacking are an important element of any contract for penetration tests or security checks of IT systems. A carefully regulated relationship between the client and the contractor is a basis for a confidential relationship. Confidentiality and trust are crucial in conducting tests that interfere with business information systems.
When brought up in a debate, the field of cyber security is always a slippery slope. Even on a private level, we are not eager to disclose we were a victim of a phishing attack or that somebody hacked our Facebook account. However, it is even worse if an intrusion, data theft or ransomware attack happens in a business environment.
Which legal aspects of ethical hacking are already well defined and implemented in Slovenia? And where is still room for improvement? These were the main discussion topics at a round table held at the Cyber Security Week beginning of October. The recording of the round table in Slovene is available on the website of the Digital Center of Slovenia. However, we have summarized the key points and conclusions in this blog post.
All legal aspects should be determined before the start of the project
The penetration test or security check starts long before the actual implementation. All steps of the project must be clearly defined, so the contractor can follow the project documentation without interruption. Furthermore, the ethical hackers do not have to wonder whether they are testing the right systems or not.
The first step of the project is the customer’s demand for the service. Immediately afterwards, we sign the first legal document: the Non-Disclosure Agreement (NDA). Why? Because we need confidential information to prepare a well-defined high quality offer. The exchange of such information must always be regulated by an appropriate contract. Before preparing an offer, we define the scope of the project, and determine exactly what our service will include. When we agree on these propositions, we prepare an offer.
Penetration testing projects require thorough initial preparation on the side of the client. For example, if cloud services are in the scope of the project, the client must check what is allowed to be tested on such an infrastructure and obtain the permissions of the service provider if necessary.
Companies often request an offer from several service providers. Therefore, it is a good idea to preliminarily review the references of potential contractors. Based on the obtained data, only those who have been identified as reliable partners are asked to prepare an offer.
Once the client and the contractor have mutually agreed on the project, the Contract and the Declaration on data protection (GDPR) are signed. Prior to the start of the project, the parties also sign the so called Get-out-of-jail free that gives pentesters permission to carry out the tests. These two documents also define the actual pentesters. The penetration testing project is now ready for execution.
Every cybersecurity check or penetration test has a specific goal
One might think that a penetration test is simply free hacking all over the information system. But it is quite the opposite. Each penetration test and each safety screening are performed with a specific goal. We either check the security of the mobile app or a specific desktop app. We can test the security of server settings or the perimeter of the information system. Or we can test how susceptible employees are to social engineering.
“The scope set out in the source documents should not be exceeded in any way. While performing the service, we must also adhere to the methodology and procedures defined in the offer and contract, “said Grega Prešeren, our CTO and leading ethical hacker.
What if we detect something more?
When performing a penetration test, it often happens that we penetrate to the point specified in the contract, but the path opens up further. What should ethical hackers do in this case? As a rule of thumb, they should finish the inspection at this point and inform the client of the finding. If the client wants the penetration test to be carried out deeper than originally planned, an annex to the contract should be signed. The contractor should not test further without a pre-signed contractual agreement.
“It may also happen during the penetration test that the Contractor discovers a vulnerability in a third-party system that is connected to the Client’s system. In such a case, a dilemma arises as to whether to communicate this finding to the third party even though we do not have a contractual relationship with it,” Prešeren pointed out.
At this point, the ethics of the service provider comes to the fore. Ethical hackers must above all be ethical. Ethics, however, is more than just respecting the minimum requirements of the law. It is an attitude that reflect the personality of a cyber security service provider. And it is the foundation on which we build a trustful relationship with the customer.
The legal aspects of ethical hacking and personal data protection
Ethics in conducting penetration tests is often related to personal data obtained during the test. The handling of personal data during the penetration test must be defined by a contract between the client, who is the data administrator, and the contractor, who is the contractual data processor.
“The general regulation says that the contractual relationship must be regulated by a written agreement or contract. Article 28 of the GDPR regulation also clearly defines what such a contract must contain: duties, purpose, types of data if this can be foreseen, “said Andrej Tomšič from the Office of the Information Commissioner of the Republic of Slovenia.
We must pay particular attention to the handling of personal data when drawing up and presenting reports on the service provided. When preparing reports, the Contractor is obliged to protect personal data stored in the Client’s systems. Personal information in reports should be blurred or deleted. Tomšič also emphasized that we must be aware that customer codes, employee ID numbers, etc. are also personal data, but pseudonymized. They are subject to the same rules as raw personal data. In reports, we should only operate with anonymised data, which cannot be linked to an individual in any way.
“The goal of the penetration test is to gain access to a specific folder, file, or application. But not the content that is stored there,” emphasized lawyer Janez Tekavc.
What about copyright?
We have mentioned before that nowadays it is possible to hack practically anything. Electronic devices as well as devices that we perhaps not even think about in the sense of electronics: ovens, aquariums, cars, even pacemakers.
Any unauthorized interference with the device is problematic in terms of copyright, warranty claims, and security.
Ethical hackers are faced with copyrights in the security analysis of source code. If the security review is in the scope of the project, the code can be tested and scanned, but it must not be processed, tampered with or kept in any way.
Who is responsible if something goes wrong in penetration testing?
If the legal aspects of ethical hacking are clearly defined before the project starts, this question never poses an issue. If the exact specifications of the systems to be tested are given by the client, and if the contractor follows the methodology, there is almost no cause for concern.
However, if the contractor detects that something in the IT system may go wrong when performing a particular test, it is their duty to inform the client before testing and to discuss the possible consequences in advance. In such a case, the test may be omitted. On the other hand, if the client accepts the risk, the test can still be performed.
Legal aspects of ethical hacking in the future
What can be improved in the field of cyber security tests in the future?
Mr Tekavc sees an opportunity in the audit trail: “Certainly, the quality of services would be raised if the audit trail of penetration testing and security screening were available. Thus, the client would have the opportunity to reconstruct the attack and gain insight into who actually carried out the attack. It could happen that a black-hat hacker knew about the planned testing and carry out an actual attack on the system in the same timeframe. “
The level of cyber security services could be leveraged by introducing mandatory security checks. Such an approach has been common practice in the accounting sector for years. A list of qualified contractors would be formed to help clients choose an appropriate contractor.
We may eventually reach such a level of cybersecurity culture that companies will implement a bug bounty system for discovering vulnerabilities. This means that companies “give hackers their head” and publicly say they can test their systems. Companies define the scope of testing as if they had concluded a contract with the client. Hackers are appropriately rewarded for discovering vulnerabilities. Such systems are already functional in several countries. This is a win-win situation: companies can improve their security posture and hackers can earn high amounts of money.
We cannot clearly predict the direction in which the cyber security testing in Slovenia will develop. However, we can certainly claim that our services are based on a solid legal basis and 10+ years of experience.
If you want to check how strong your organization’s cyber security posture is and are looking for a reliable partner, we would gladly play the role of your ethical hackers.
Contact us for more information and advice on improving your posture.