What is pentesting?
Penetration testing, or pentesting for short is a discipline that has been around in one form or another for decades. It is a method used to look for security vulnerabilities in an IT system, such as a web application or online service. Usually, a pentest is carried out by security specialists who probe the system in question, acting as a cybercriminal would, to find flaws and ‘ways in’. OWASP has created a set of industry standard testing guides for the discipline. They also produce their ‘Top Ten’ series of vulnerabilities to help focus tests on core known vulnerabilities. In addition, the Penetration Testing Execution Standard (PTES) published the ‘Pentest Standard’ which goes through the seven main areas that the process of pentesting uses: This includes intelligence gathering, vulnerability analysis, and reporting. All in all, pentesting is a skilled job that requires high levels of attention to detail and a deep knowledge of IT system security. It is also, however, by its very nature, a job that requires an individual to have intimate knowledge of sensitive data and entry to normally restricted areas of a company. Pentesting requires a company to have a deep level of trust in the company and individuals carrying out the pentests. This leads to the main discussion point…do we need rules of engagement and codes of conduct in pentesting?
A tale of two pentesters
The ethical issues of pentesting can be complicated and the waters muddy. A recent case between a pentest company Coalfire and Iowa Judicial Council begs the question, “when does a pentest go too far?” The case highlights the fine line that can be crossed between a pentest event and a genuine breach of security. In the case, two pentesters have been accused of ‘burglary’ by breaking and entering the premises of the client. The pair were arrested in the courthouse around midnight after setting the alarm off. Their defense is that they were engaged to check the physical security of buildings as part of the overall pentest contract. The case has caused much discussion amongst the security community. Were the men genuinely carrying out the job as contracted or was this a ruse to actually burgle the Iowa Judicial Council? The case appears to come down to the finer details of what the company was contracted to do. The contract appears to specifically point out that they will NOT test alarms or force doors, both of which happened in the case. Whatever the outcome, somewhere during contract creation or thereafter, the pentesters failed to communicate their intentions. The code of conduct of these pentesters is now on trial. The example above is an important one as it opens up the discussion about ethics and rules of engagement in pentesting.
Code of conduct for pentesting
Pentesters’ raison d’etre is to break into systems. They want to find flaws; they probe the inner workings of your IT systems and services to find ways in which cybercriminals will otherwise locate. Therefore, there needs to be a strong code of conduct for anyone in the industry. If not, you may end up with good pentesters gone bad. There are industry bodies to help with this. The Council of Registered Ethical Security Testers (CREST) has developed a code of conduct (CREST, 2014) that pentesters adhere to. If you are an individual pentester or a company that offers pentesting services, you can become CREST Accredited. There have also been models that attempt to provide guidance on penetration testing ethics. One such model was developed in 2006 by Pierce, et.al. The team’s work presents a taxonomy of penetration ethics that can be used as a basis for a work agreement, for example. There have been some criticisms of this model, however, and it is not a certification standard, as that offered by CREST. However, it can be used as a basis for developing ethical standards that you would expect when engaging a pentest team. On an individual basis, there are a number of certification bodies that provide training and certification for pentesters. Many pentest-specific certifications will detail a pentester code of conduct as part of the training. Others, such as the UK’s The Cyber Scheme (“TCS”) place a high emphasis on maintaining a code of conduct as a pentester.
Conclusion: Trust in pentesting
Can we truly ever trust pentesters? Although there is always an element of risk when allowing anyone into your confidence, it is fair to say that if a pentesting company has a reputation to uphold, they will be less likely to lose it by acting unethically. However, it makes sense that you should always vett your choice of pentester. Take references from previous clients, check accreditation and certification, ask probing questions, and use your gut reaction too. After all, you will be effectively allowing them to hack into your system, see sensitive company data, and if they do turn out to be the bad guy, they could sell this info to your competitors. Whatever measures you use to check your pentesters’ ethical status, rogue actors are always a risk. However, pentesting is an extremely useful way to batten down the hatches in a cybersecurity landscape where data breaches and cyber-attacks are increasingly common. Ultimately, you must decide if the benefits of having your IT systems pentested in this aggressive cybersecurity environment, balance against the risk of a pentester gone bad. The use of codes of conduct within your agreement along with recognized certification and accreditation can certainly help to mitigate that risk. Sources
Infosec Institute, The Types of Penetration Testing OWASP Penetration Testing Execution Standard Secure World Expo CREST Accredited companies Pierce, J., et.al., PENETRATION TESTING PROFESSIONAL ETHICS: A CONCEPTUAL MODEL AND TAXONOMY Infosec Institute, Top 10 Penetration Testing Certifications for Security Professionals