Use your computer fearlessly.

Mission Services Articles Research

technical: ethics

No Penetration Testing

by Brent Kirkpatrick

(Date Published: .)

Penetration testing, or fake hacking, is illegal by strict interpretations of laws.

Multiple pieces of legislation seem to outlaw penetration testing. Penetration testing, the act of fake hacking, apparently with permission, is used to test the vulnerability of a target computer to certain types of attacks. However, penetration testers introduce new vulnerabilities when they test for some. Furthermore, they may gain access to sensitive information and themselves violate privacy laws.

The attacks tested by penetration testers are not the ones actually used by hackers. Not only do the critical defenses against actual hackers go untested, but the penetration testers can introduce new vunerabilities as a side-effect of their testing. Their tests themselves increase the attack surface.

cartoon: penetration tester

A strict interpretation of the medical privacy laws, codified by HIPAA, forbid penetration testing. Similarly strict interpretations of Gramm-Leach-Bliley Act, the finance privacy laws, the N. American Energy Security and Infrastructure Act, and the NERC Critical Infrastructure Protection standards, the energy sector security standards, also restrict penetration testing. Any violation of privacy or infrastructure security by fake hacking is as problematic as violations by real hackers.

defendIT (TM). AI-driven security measures derived from security incident data.

Jarrett, H. Marshall and Bailie, Michael W. "Prosecuritng computer crimes." Coputer Crime and Intellectual Property Section, Criminal Division. 2015.

What Is New? | Contact | Tips

© 2015-2021 Intrepid Net Computing. All rights reserved.