
	Home > Ask the Security Experts > Security Management Questions & Answers > The requirements needed to make an external penetration test legal

Ask The Security Expert: Questions & Answers

EMAIL THIS

The requirements needed to make an external penetration test legal

EXPERT RESPONSE FROM: David Mortman, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 02 June 2009
I've been asked to perform a vulnerability test on the wireless network. The company's managing director has deliberately not given me any information about the wireless network or the internal company network as he wishes to know how much information can be obtained by outsiders. What are the most appropriate best practices to keep in mind so that I perform a comprehensive vulnerability assessment without crossing any unethical boundaries?

First and foremost, make sure the external penetration testing is legal. Get written authorization in order to perform the assessment. If you are an outside contractor, this authorization should be part of your contract or statement of work. It is important that the authorization be as detailed as possible to avoid legal or ethical issues; details to include are the allowed dates (and times if relevant) of the assessment, which attacks are permitted and, more importantly, which ones are not permitted. Also, you should document whether or not you are allowed to attack the access points and/or devices attached to the wireless network directly, or if the goal is just to break the authentication and authorization protocols/policies.

Often, attacks that can create denial-of-service conditions are disallowed. Similarly, it is important to document how far you are allowed to test if you find a wireless network vulnerability. For instance, if you manage to connect to the network, are you allowed to see what services are available? And if so, are you limited to the ones directly on the wireless network or are you permitted to attack services on any attached wired networks?

Unless this is also supposed to test the effectiveness of the infosec team's monitoring techniques, all external penetration testing should go through the client's change-control system so that the appropriate people are aware of the situation and can react appropriately should your testing cause any issues.

It is also important to document what tests you ran and the results of those tests so you can cleanly and accurately report the results back to the organization.

For more information:

Read more about ethical hacking techniques for standard penetration testing.
Are Web application penetration tests still important? Find out more.

BROWSE BY TAG

Security Management, Enterprise Vulnerability Management, Application and Platform Security, Security Testing and Ethical Hacking, Enterprise Risk Management: Metrics and Assessments, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	How to prepare for a FERPA audit
	Why doesn't the CISSP cover information assurance and DIACAP?
	Data breach notification legislation: What info must be released?
	Risk management strategy for an information technology solution provider
	Are there guidelines to create a HIPAA-compliant data center?
	HHS HIPAA guidance on encryption requirements and data destruction
	Writing a patient identifier policy to prevent common HIPAA violations
	How to write technology outsourcing contracts
	The requirements for being a PCI DSS-compliant service provider
	How to create configuration management plans to install DLP

Security Testing and Ethical Hacking

H.D. Moore speaks about Metasploit Project deal, Release 3.3

Could Metasploit popularity erode?

Metasploit Project acquired by vulnerability management firm Rapid7

Should management processes change based on a patch release schedule?

Does an EULA make it truly illegal to decompile software?

Screencast: BackTrack 4 offers an arsenal of penetration testing tools

Security testing firm uncovers XML vulnerabilities

Screencast: Samurai offers pen-testing nirvana

McAfee to acquire Solidcore Systems for whitelisting

The Pipe Dream of No More Free Bugs

Enterprise Risk Management: Metrics and Assessments

How to justify information security spending on cloud computing

Layoffs prompt insider threat fears, cybersecurity survey finds

How to avoid Internet liability lawsuits

Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way

Bernie Rominski: Communicate Effectively with Management about Risk

Best Policy and Risk Management Products

Monitoring program data and internal controls for risk management

Risk management strategy for an information technology solution provider

Align your data protection efforts with GRC

The basics of enterprise GRC project management

Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

Cyber Storm (SearchSecurity.com)

ethical hacker (SearchSecurity.com)

ethical worm (SearchSecurity.com)

gray hat (SearchSecurity.com)

honey pot (SearchSecurity.com)

honeynet (SearchSecurity.com)

war dialer (SearchSecurity.com)

white hat (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business