APPENDIX 3: REGULATIONS AND LEGISLATION
The pen tester may be required to provide the client organization with a proof of compliance with certain legislation, regulations, best practices, or industry standards as a part of the pen testing effort. These regulations vary widely from one jurisdiction to another – from country to country and, often, from state to state.
Many regulations are industry-specific – such as legislation concerning health care – and only apply to that industry sector or vertical. Other legislation applies across all industries in a region or country and are, therefore, horizontal in nature.
A multinational organization may find it nearly impossible to be compliant with the regulations in all the countries they operate in. In fact, since regulations in one country may be in conflict with the regulations from another, it may actually be impossible for the organization to be compliant with the laws of each country.
Figure 45: Compliance and regulations
Examples of regulations and legislation
There are many laws and regulations that a pen tester should be familiar with, including laws on hacking, testing, privacy, financial soundness and protection of nations, organizations and individuals.
Hacking and pen testing
When is a pen test actually an attack and not just a test? One can claim that a test is not conducted with the intent to do damage, but, if the tester is negligent in performing the test and does impact the business of the client, or perhaps even the business of another organization that is affected by the test, is it then an attack? Where is the boundary between probing a network and attacking it? Is a port scan an attack, a precursor to an attack, or just an assessment of the security controls?
The problem is that the answer may be different depending on where you are and what laws apply. In some countries, the possession of testing tools may be seen as a criminal act – even by legitimate testing organizations. In other countries, there are few or no laws – and, without a foundation of laws, it may be impossible to deter unwanted behavior.
Privacy
Privacy legislation is one of the most high-profile types of legislation today. Many countries are passing privacy legislation to protect personally identifiable information (PII), such as addresses, locations, financial data, or health information.
A major consideration regarding privacy is trans-border data flow: what information is permitted to be moved from one country to another? In a world of Cloud Computing this becomes all the more challenging.
Some examples of privacy legislation include the European Union Principles on Privacy. The core principles are:
1. The reason for gathering of data must be specified at the time of collection.
2. Data cannot be used for other purposes.
3. Unnecessary data should not be collected.
4. Data should only be kept for as long as it is needed to accomplish the stated task.
5. Only the necessary individuals who are required to accomplish the stated task should be allowed access to the data.
6. Whoever is responsible for securely storing the data should not allow unintentional “leaking” of data.
US laws include the Health Insurance Portability and Accountability Act (HIPAA); Electronic Communications Privacy Act, the e-Government act of 2002.
Employee privacy
Is it legal to monitor an employee’s e-mail or other internet activity? Can a pen tester observe what an employee is doing, what can they do if they observe something against company policy? What should be done if a test reveals illegal activity? These are all questions that must be addressed prior to the start of any test or examination of a network or system.
Non-disclosure agreements
Any person working on a pen test or in a security function should be trustworthy and honest. Ensuring this may require a background check and security clearance before employment, and follow-up review on an annual basis during employment. The employee should be required to sign and observe the conditions of a non-disclosure agreement, and be bonded to preserve the confidentiality of client information – even following employment or the termination of the services contract.
Some pen testing and security companies may even prevent an employee, that has worked on the systems for one client, from working on contracts for other clients in the same industry, in order to prevent information leakage between competitors.
Access controls
All access to pen tests, client data and other protected information must be on a strictly “need to know” basis and with enforcement of “least privilege.” Operating on a “need to know” basis prevents any person from accessing any data that they do not directly need to access as a part of their job function. The practice of “least privilege” enforces authorization controls that will only let a user perform limited operations on the data they can access – such as read-only, write-only, create, delete, etc. This prevents an individual that only needs to have read access to the data from making an accidental or intentional change.
Financial legislation
Some examples of legislation regarding financial operations are the Gramm-Leach-Bliley Act of 1999, Sarbanes-Oxley Act (SOX 404), and Basel II. There are also numerous standards, such as the Generally Accepted Accounting Practices (GAAP), although these may also differ from country to country.
Standards
The use of a standard or recognized best practice may guide the performance of a penetration test. Some standards include the ISO27002 published by the International Organization for Standardization; the Payment Card Industry Data Security Standard (PCI DSS) and its related payment application standards; COBIT; NIST and ITIL.®
The PCI DSS standards are an excellent set of standards for designing and operating a secure system. Its core requirements are:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks. [WEP cannot be used.]
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes. [Requirement 11.3 clarifies this to explicitly mandate internal and external penetration testing of networks and applications.]
12. Maintain a policy that addresses information security for all personnel.20
Protection of intellectual property
One of the most important assets an organization has is its intellectual property – its patents, copyrights, trademarks and trade secrets. These elements of intellectual property (IP) must be protected, since they are, in effect, the competitive distinction and value that makes the organization competitive and profitable, and protects their market share. If the patents are lost, trade secrets are compromised or trademarks are violated, then the organization may have no way to compete effectively against lower-priced competition. Think of a pharmaceutical company that has spent years researching a new drug. If the data about that drug was to be acquired by a competitor, then the original company would have no way to recover its investment in research and would, possibly, face financial ruin. For this reason, the pen tester must be especially diligent to ensure that an organization’s IP is adequately protected and not subject to compromise.
20 www.pcisecuritystandards.org/security_standards/index.php.