< Day Day Up > |
Before you engage in penetration testing, you should understand the laws and ethics involved in ethical hacking. You have an ethical responsibility to your clients to ensure the confidentiality of your tests and their results. The testing boundaries should be clearly delineated in your contract, and you should practice due care to ensure you do not step outside these boundaries. Several laws are relevant to penetration testing. There are European laws and guidelines, such as the OECD 2002 Guidelines and the UK Computer Crime Act and the European Council. U.S. laws include the 1973 U.S. Code of Fair Information Practices, the 1986 Computer Fraud and Abuse Act (18 U.S.C. § 1030), the 2002 Federal Information Security Management Act, and state laws (although the latter is seldom used in prosecuting cases). There are also U.S. regulatory laws that present the need for penetration testing. Testers should be knowledgeable of these as they pertain to their client market. These include the following:
Throughout the entire testing process, you should log your actions for auditing and reporting purposes. Finally, you need to determine how involved you are going to be in providing security solutions for your client. If you do offer suggestions to your client on how to secure the client infrastructure, you should provide disclaimers that clarify the suggestions as such. |
< Day Day Up > |