A legal shield for pen-test results

By Shawna McAlearney 06 Oct 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Routine network penetration testing may shed light on exposures to external threats, but it can also put damning evidence in the hands of competitors and plaintiffs who sue your organization.

Attorneys caution that pen tests generate lengthy reports of system inaccuracies and vulnerabilities that could be used in court against a company.

"If the company fails to adequately correct all of the problems [pointed out by a pen test]," says Forrest Morgan, a principal at the law firm Morgan and Cunningham, "this report will be open to discovery by plaintiffs' counsel." Prosecutors also many use the information to "demonstrate the company failed to exercise due care in protecting information if there is a subsequent loss of critical information through unauthorized access to the system," he added.

What can you do?
Morgan and partner Bryan Cunningham suggest that enterprises have their attorneys retain the penetration testers, which in turn places the process under the umbrella of attorney-client privilege.

"When the pen test results are provided to the attorneys to assist in the overall evaluation process, the results may well be protected from discovery and public disclosure," Morgan said.

Outside of such a relationship, Morgan calls a penetration test a potential disaster.

Related links Expert Advice: How pen testing differs from other assessments Tip: Five ways to simplify the vulnerability management lifecycle

In addition to the likelihood of failing the test and the possible exposure of test results to competitors and potential litigants, some enterprises may be left with a false sense of security following a pen test.

Some organizations may fix only obvious network security holes identified by the testers. In such cases, additional technical vulnerabilities, as well as procedural, administrative, process and other flaws at the root of some recent information security compromises may be overlooked. Wachovia Bank and ChoicePoint are both recent examples of failures in the business processes of information security.

Morgan and Cunningham recognize that the complete security evaluation process begins with determining the federal and state statutes, regulations and common law duties applicable to each company, which they believe is best performed by attorneys accustomed to reviewing statutes and prevailing case law to determine these laws' impact on a company's operations. Once a legal framework is identified, it is important for the evaluation team to work with the company and flag information critical to the company's operations and legal requirements. Then, the security of that critical information should be determined by qualified information security specialists using tools that include the pen test, followed by remediation to correct any weaknesses.

Snags in compliance
Legal counsel can also help IT departments define, maintain and review security processes in order to meet compliance requirements. In cases of privacy claims, or Sarbanes-Oxley Act, HIPAA or Gramm-Leach-Bliley violations, for example, prosecutors and juries will look more favorably upon an organization that retained qualified and experienced outside counsel and technical consultants before a problem arose to demonstrate a higher degree of care.

Put it in English
Attorneys can also help security managers frame the results of a penetration test in plain English -- a key not only for judges, juries and regulators, but for executives as well.

"There are many things that lawyers aren't good at," Morgan said, "but at least some are good at conducting interviews, reviewing and assessing documents, and drafting reports that will stand up in court -- if a customer decides to waive privilege -- and be readily understandable to those in the legal system."

This article also appears in the October 2005 issue of Information Security magazine.

Tags: Security Testing and Ethical Hacking,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Testing and Ethical Hacking Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cyber Storm  (SearchSecurity.com) ethical hacker  (SearchSecurity.com) ethical worm  (SearchSecurity.com) gray hat  (SearchSecurity.com) honey pot  (SearchSecurity.com) honeynet  (SearchSecurity.com) war dialer  (SearchSecurity.com) white hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary