Computer System and Computer

Penetration Testing

The use of penetration testing to test the security and safety of a network is a common practice among many firms. It is further often normal to not inform the relevant staff and personnel behind a network about what is about to occur so that they are truly tested based on what they would normally be doing. However, there are legal and other minefields to doing such testing and all of the people involved need to be careful to cross all the t's and dot the I's before getting too deep into such testing. While penetration testing needs to be as complete and realistic as possible, there are some precautions and other steps that must be taken.

Best Practices

As one might expect, the big thing to have when it comes to penetration testing is permission to so do. However, it is important to define what that means in the context of a "surprise" penetration testing instance. Indeed, the standards relating to this are set in many respects by an organization known as the SANS institute. The group suggests all of the following:

• Make sure to have the auditor doing the penetration testing be represented by legal counsel. This will lead to the invocation of attorney/client privilege should it be needed

• The audit arrangement and agreements should be considered and treated as a professional services engagement

• The timing of an unannounced testing array should be timed very carefully. Obvious times to avoid are month-end processing and other peak times or operating hours

• The audit and the situations it creates should not create more problems than it solves

• There should be very firm and specific agreement (in writing) on what the auditor is allowed to do, what data that they are allowed to maintain and so forth (Kassner, 2015).

The above is more of a general guideline. As one might expect, there are often state-specific laws that may or may not apply, depending on the situation. When it comes to the state of Hawaii, the relevant charges that exist are referred to as computer damage in the first degree and computer fraud in the second degree. Obviously, an auditor will be wise to not commit the below acts while engaging in their penetration testing:

Computer damage in the first degree is typified by one or more of the following:

• Knowingly causes the transmission of a program, information, code or command that causes unauthorized damage

• The person is intentionally accessing a computer without authorization and that causes damage

Computer fraud in the second degree is as follows:

• Unauthorized computer access in the first degree is when the unauthorized computer access in the first degree occurs, that being the knowing access of a computer system or network for the foal of financial gain, furtherance of a crime, value of the information exceeds $5,000 or anything else of the sort.