Values and Ethics

in Penetration
Testing Practices
A Presentation by Matthew Snell
CIST 3110 IT Ethics
University of Nebraska at Omaha

[1]

1
 What is Penetration Testing?
Pretend you are the attacker
Manual or Automatic systems
Servers, endpoints, web apps, etc.
Always preventative
The logic might not be
Two main types
Software
Hardware
[2]

Penetration testing, or pen testing, is the practice of evaluating a network from the
perspective of an attacker to assess vulnerabilities and remove them. A penetration
test can be manual or automated for use on servers, endpoints, web applications,
wireless networks, network devices, mobile devices, and other potentially vulnerable
points (Thomas 2017). Penetration testing is always performed as a preventative
measure, regardless of if it is implemented as a response to past vulnerability
exploitation. In a case that the pen tester is hacking back at a current threat, that is
just hacking, which is illegal (Legal n.d.). Most basic penetration testing is software-
based, with hardware assistance in almost all complex and enterprise solutions. This
also has exceptions like simple mobile penetration testing tools.

2
 Social, Ethical and Legal Issues
Potential issues: Potential results:
Data theft Lawsuit for PT
Data loss Court
Data destruction Security
Abuse of clearance compromise
Accidental clearance
Over-borders mishap [3]

Some primary concerns with penetration testing are privacy and authority. Most
penetration testers are given a high security clearance to do the job that they do, and
sometimes in the process of testing they can find themselves in clearance they didnt
expect (Connor n.d.). Often times, there is at least some risk that penetration testing
destroys something on the host system, or renders it inaccessible. Every party
involved may have different ideas of where and how the data was lost when they are
in court. Other legal issues arise across state or federal lines when a penetration
tester is contracted to test a remote system and granted access. The laws that apply
to penetration testing are sometimes separate in both endpoints, especially when
things dont go as expected. As you can tell, many of these things are contingent on
the testing going as planned!

3
 Social, Ethical, and Legal Issues
WiFi Pineapple
Man in the Middle Attack
MITM
Misuse of hardware
Many scales of misuse
Coffee shops
Leaks worldwide [4]

The WiFi Pineapple was mentioned earlier in the presentation. According to Volkan
Paksoy, the Pineapple is a WiFi honeypot that allows users to carry out man-in-the-
middle attacks (2015). These attacks are applied in the favor of the tester, but may
be used in virtually any setting where a Man in the Middle attack is applicable. The
misuse of penetration testing hardware to access others data is a current ethical,
legal, and social issue in information technology. These skills have been abused at a
scale as small as coffee shop information theft and as large as data breaches often
utilizing similar methods of access.

4
 Background and Details
Many lawsuits and cases
Difficult to decide truth from self-preservation
Genesco, Inc. vs. Visa U.S.A., Inc.
Finished in 2015
Changed many things about pen testing
Pen testing is now confidential
Legal privilege
Companies have a new rule:
Make a good biusiness decision [5]

Seeing many major lawsuits and mishaps in cybersecurity that involve penetration
testing, it is hard to discern examples of whether one group or another is following
ethical principle. In 2015 as a result of lawsuits from major data breaches, the case
Genesco, Inc. vs. Visa U.S.A., Inc. changed the way many corporations view this
practice (Federal 2015). It confirmed that penetration testers work and
communications were confidential; they were covered under legal privilege. This
made it so that the organizations were likely to plan their penetration testing with
more scrutiny before making a decision that could cause them trouble in the future.

5
 Pros and Cons
Cons Pros
Misuse of hardware Required
Data manipulation Long lasting
Data loss Produces jobs
Abuse of privileges Development
Legal mishaps Contribution

There are many drawbacks of penetration testing; abuse of privileges, data

manipulation, data loss, misuse of hardware. Despite all of this, many positive things
come out of the act. With the world of technology in its current state and direction,
its likely that we will need penetration testers for a long time. The practice of
penetration testing produces jobs and contributes to society and the development of
new software and hardware. Without penetration testers, the world of information
technology would be dealing with an exponentially higher amount of vulnerability
exploitation than what is seen today.

6
 Conclusion
Pen testing isnt always safe
But we need it
Companies and elevated clearance ETHICS
Provide to pen tester?
Penetration testing becoming more common
Laws too
Smoother process
(Hopefully)
Theres no clear right answer to some of these questions
But there are many wrong answers

Penetration testing is not always safe, but its something that we will need
indefinitely. Some of the difficulty of the practice is the fact that the host company is
often providing elevated permissions to an individual that they are not familiar with.
At that point, it is up to the tester and their ethical standards to face whatever may
happen in a reasonable manner. As information technology is becoming more
common in todays world and our legalities become more acquainted with new
technology, penetration testing may become a smoother process, or it may not.
There is no perfect guide written on how to pen test, but plenty of laws are in the
works.

7
References
Thomas, B. (2017, March 06). When to Use a Pen-Test and When to Use a Vulnerability Scan. Retrieved October 23, 2017,
from https://www.coresecurity.com/blog/when-use-pen-test-and-when-use-vulnerability-scan
Legal Issues in Penetration Testing. (n.d.). Retrieved October 23, 2017, from
http://www.securitycurrent.com/en/analysis/ac_analysis/legal-issues-in-penetration-testing
Connor, N. O. (n.d.). Corporate penetration testing: Addressing network security issues. Retrieved October 23, 2017, from
http://www.computerweekly.com/tip/Corporate-penetration-testing-Addressing-network-security-issues
Paksoy, V. (2015, February 25). Playground for the mind. Retrieved October 23, 2017, from
http://volkanpaksoy.com/archive/2015/02/25/beware-the-pineapple-an-overview-of-wifi-pineapple-mark-v/
Federal Court Extends Attorney-Client Privilege to Cybersecurity Consultants. (2015, May 19). Retrieved October 23, 2017,
from https://www.tracesecurity.com/blog/federal-court-extends-attorney-client-privilege-to-cybersecurity-
consultants-findings#.WfYzp2iPJPZ

8
Image References
[1] Scales of Law [Digital image]. (2015, January 5). Retrieved October 23, 2017, from
http://resources.infosecinstitute.com/wp-content/uploads/Law.png
[2] Decryption [Digital image]. (2014, February 8). Retrieved October 23, 2017, from
http://www.istockphoto.com/vector/data-decryption-hacking-padlock-saw-drawing-gm468159451-34561906
[3] Exclamation Mark [Digital image]. (n.d.). Retrieved from http://getitwrite.ca/2011/06/06/five-is-too-many/
[4] WiFi Pineapple [Digital image]. (n.d.). Retrieved October 23, 2017, from https://hakshop.com/products/wifi-pineapple
[5] Legal Document [Digital image]. (n.d.). Retrieved October 23, 2017, from https://www.mhc.ie/latest/blog/how-to-avoid-
the-legal-pitfalls-of-a-team-move