Routine network penetration testing may shed light on exposures to external threats, but it can also put damning evidence in the hands of competitors and plaintiffs who sue your organization.
Attorneys caution that pen tests generate lengthy reports of system inaccuracies and vulnerabilities that could be used in court against a company.
"If the company fails to adequately correct all of the problems [pointed out by a pen test]," says Forrest Morgan, a principal at the law firm Morgan and Cunningham, "this report will be open to discovery by plaintiffs' counsel." Prosecutors also many use the information to "demonstrate the company failed to exercise due care in protecting information if there is a subsequent loss of critical information through unauthorized access to the system," he added.
What can you do?
Morgan and partner Bryan Cunningham suggest that enterprises have their attorneys retain the penetration testers, which in turn places the process under the umbrella of attorney-client privilege.
"When the pen test results are provided to the attorneys to assist in the overall evaluation process, the results may well be protected from discovery and public disclosure," Morgan said.
Outside of such a relationship, Morgan calls a penetration test a potential disaster.
In addition to the likelihood of failing the test and the possible exposure of test results to competitors and potential litigants, some enterprises may be left with a false sense of security following a pen test.
Some organizations may fix only obvious network security holes identified by the testers. In such cases, additional technical vulnerabilities, as well as procedural, administrative, process and other flaws at the root of some recent information security compromises may be overlooked. Wachovia Bank and ChoicePoint are both recent examples of failures in the business processes of information security.
Morgan and Cunningham recognize that the complete security evaluation process begins with determining the federal and state statutes, regulations and common law duties applicable to each company, which they believe is best performed by attorneys accustomed to reviewing statutes and prevailing case law to determine these laws' impact on a company's operations. Once a legal framework is identified, it is important for the evaluation team to work with the company and flag information critical to the company's operations and legal requirements. Then, the security of that critical information should be determined by qualified information security specialists using tools that include the pen test, followed by remediation to correct any weaknesses.
Snags in compliance
Legal counsel can also help IT departments define, maintain and review security processes in order to meet compliance requirements. In cases of privacy claims, or Sarbanes-Oxley Act, HIPAA or Gramm-Leach-Bliley violations, for example, prosecutors and juries will look more favorably upon an organization that retained qualified and experienced outside counsel and technical consultants before a problem arose to demonstrate a higher degree of care.
Put it in English
Attorneys can also help security managers frame the results of a penetration test in plain English -- a key not only for judges, juries and regulators, but for executives as well.
"There are many things that lawyers aren't good at," Morgan said, "but at least some are good at conducting interviews, reviewing and assessing documents, and drafting reports that will stand up in court -- if a customer decides to waive privilege -- and be readily understandable to those in the legal system."
This article also appears in the October 2005 issue of Information Security magazine.