Use your computer fearlessly.




[ Security | Consulting | Research ]





No Penetration Testing

by Brent Kirkpatrick

(Date Published: .)



Penetration testing, or fake hacking, is illegal by strict interpretations of laws.



Multiple pieces of legislation seem to outlaw penetration testing. Penetration testing, the act of fake hacking, apparently with permission, is used to test the vulnerability of a target computer to certain types of attacks. However, penetration testers introduce new vulnerabilities when they test for some. Furthermore, they may gain access to sensitive information and themselves violate privacy laws.

The attacks tested by penetration testers are not the ones actually used by hackers. Not only do the critical defenses against actual hackers go untested, but the penetration testers can introduce new vunerabilities as a side-effect of their testing. Their tests themselves increase the attack surface.

A strict interpretation of the medical privacy laws, codified by HIPAA, forbid penetration testing. Similarly strict interpretations of Gramm-Leach-Bliley Act, the finance privacy laws, the N. American Energy Security and Infrastructure Act, and the NERC Critical Infrastructure Protection standards, the energy sector security standards, also restrict penetration testing. Any violation of privacy or infrastructure security by fake hacking is as problematic as violations by real hackers.


defendIT. AI-driven security measures derived from security incident data.


Jarrett, H. Marshall and Bailie, Michael W. "Prosecuritng computer crimes." Coputer Crime and Intellectual Property Section, Criminal Division. 2015.










bbkirk@intrepidnetcomputing.com




© 2015, 2016, 2017, 2018 Intrepid Net Computing. All rights reserved.