I recently did a penetration test for one of our company's partners, only to find out that management had not obtained written permission from the partner for the test to be performed. The partner reported that they'd been hacked and now the companies are involved in litigation! I'll make sure that I have written permission in my hands every time from here on out, but what steps should I take to salvage my reputation as an ethical hacker?
There's nothing like accidently getting yourself involved in litigation. Sounds like you and your company have learned a valuable lesson about always having proper written authorization prior to conducting an assessment. There are a few things you should do initially: One is to talk with your company's management and lawyers to find out what documentation they need from you. This will likely include documenting what you were asked to do, what tests you ran and when. Be as cooperative as possible and quickly establish that you are a team player that has the best interest of the company in mind.
Next, create a process to be followed for any future penetration tests. This should obviously mandate a documented request from management as well as some sort of notice that you have been granted permission from all appropriate parties. After the test, this should include documentation of when and what tests were performed.
If your company is handling the situation well, management will support you in this process. If it becomes clear, however, that your company knew about the need for permission and chose to ignore it, you have an alternate option, which unfortunately is to quit. Sometimes the only way to protect your reputation is to separate yourself from the organization completely and find a new company to work with that respects ethical concerns. This is a drastic measure, but may be in your best interest in the end. And no potential employer worth its salt would hold this stance against you.
- Learn how a Certified Ethical Hacker can become a penetration tester.
- What are the pros and cons of zero-knowledge penetration tests? Read more.
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.