August 26, 2021

Can Penetration Testers run into legal trouble?

Becoming a pen tester sounds like a dream job for a lot of people in cybersecurity but I feel there’s a weird gray area that’s not discussed:

If a company gives a pen tester permission to “hack” their environment to pick up on existing vulnerabilities, how does the pen tester know if he/she crossed the line? I mean there’s no way the company just gives complete access to exploit anything this person wants, right?

Under what circumstances can a pen tester get into trouble for their work? Are employers very strict with what a pen tester is allowed to do OR is he/she given a lot of freedom as long as he/she can justify that the work being done is in the companies best interest?

Thanks.

Comments

Cypher_Blue

The pen tester knows because the terms of the engagement are clearly spelled out before they start.

Every engagement and client is different- some only want what’s essentially a vulnerability scan and others want you to go full on social engineering/physical APT style.

spuuderman12

When in contract with a company. The company may give the employee full access. Allowing them to take any information they can get their hands on. They will normally hire outsiders to do these test that way there is no conflict of interest. When they hack into the company systems they are treated as a normal hacker. They go about things just as a hacker with bad intentions would have. The only difference is, there will be a contract involved where the person hired may not reveal or keep any information. It’s a lot of legal paper work. But yes there are jobs out there where you just hack to really figure out any vulnerabilities in systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.