With pen testing, companies can mitigate legal risks – or expose themselves to additional risks if they fail to prepare well. When companies conduct pen testing to harden their data security programs and mitigate risks, they can expose themselves to different risks and experience backfire unless they address privacy and data protection law consideration in advance.
What is Penetration Testing and what is it good for?
Penetration testing, commonly referred to as pen testing, is a proactive and systematic approach to evaluating an organization’s cybersecurity defenses. Some liken the approach to a bank hiring an ex-burglar or directing an employee to try a heist to identify vulnerabilities.[1]
Pen testing process involves simulating cyberattacks to identify and exploit vulnerabilities in systems, networks, and applications. Ethical hackers, often called “white hats,” are authorized to mimic the tactics, techniques, and procedures (TTPs) of cyber adversaries, with the primary goal of uncovering and addressing security weaknesses before malicious actors can exploit them. By imitating the actions of potential attackers, pen testing provides a real-world assessment of an organization’s security posture, helping to identify deficiencies in the infrastructure and offering actionable insights for remediation.
Penetration testing can be categorized into three types based on the information provided to the tester. These correspond to the organizations desired goals for the test.
- White-box testing, also known as crystal-box testing, gives the tester complete knowledge of the system, including IP addresses, network diagrams, source code, credentials, and configuration details. This comprehensive access allows for an exhaustive examination, simulating an insider threat.
- In contrast, black-box testing provides the tester with no prior knowledge of the system or network, simulating an external attack that requires reconnaissance to gather information about the environment. This method offers a realistic evaluation of how an outside attacker might breach the system.
- Gray-box testing combines elements of both white-box and black-box testing, giving testers partial knowledge of the system, such as access to certain internal information like network architecture, system designs, or limited credentials.
The penetration testing methodology typically follows several logically progressing phases: planning, reconnaissance, scanning and probing or (enumeration), vulnerability assessment and discovery, exploitation, and reporting. Each phase is crucial in ensuring a thorough evaluation of the organization’s cybersecurity defenses.
Understanding the difference between penetration testing and vulnerability scanning is vital for a robust cybersecurity strategy. Vulnerability scanning is an automated process that uses tools to identify potential vulnerabilities in systems and networks. These scanners compare the current state of the system against a database of known vulnerabilities and misconfigurations, producing a list of identified issues ranked by severity. These issues can then be addressed through patching, configuration changes, or other mitigation strategies. In contrast, penetration testing is a manual or semi-automated process carried out by security professionals who actively attempt to exploit vulnerabilities. Pen testers use various tools and techniques to mimic cyberattacks, providing a more comprehensive understanding of how an attacker could compromise the system. This process often involves social engineering, network attacks, and application testing to uncover hidden weaknesses.
Is Pen Testing Required by Law?
Not expressly, but probably impliedly. Most privacy and data protection laws do not expressly or specifically require pen testing. But, companies are required to maintain reasonable data security measures under numerous federal, state and foreign laws. Industry groups, standards setting organizations, and consultants recommend or require pen testing as part of data security compliance assessments.[2] Inevitably, companies are expected or contractually required to audit their programs and test their measures.
What Can Go Wrong?
Returning to the hired bank burglar analogy, companies have to prepare themselves for the possibility that the burglar succeeds, takes the money, damages property, injures bank employees, or exposes flaws that other burglars exploit before the bank can address them. When companies proactively hire pen testers or encourage “white hat” or “grey hat” security researchers, to conduct pen testing and benefit from bug bounty programs, the testers sometimes succeed in acquiring personal or confidential data or discovering past data security breaches that the company had not been aware of before. This can trigger data security breach notification obligations, because companies must notify individuals, regulators, and possibly investors of data security breaches under various laws.[3]
How to Avoid Pitfalls?
Companies need clear contracts with pen testers to ensure that successful data access is not “unauthorized” and that pen testers stop short of acquiring personal or confidential data once they identified a vulnerability. Companies should vet pen testers’ identities and reliability, and establish contracts in advance, either as part of their bug bounty program or custom initiatives. Attempts to redefine terms after the fact or cover up unintended data access can expose everyone involved to significant liability.[4] To avoid a time crunch, companies should review and update their incident response programs to ensure they are ready to meet the increasingly short deadlines for breach notifications in case they uncover prior breaches as part of a pen testing exercise. Companies have only 72 hours under the EU GDPR, 6 hours under Indian cybersecurity laws and 1 hour under draft new cybersecurity regulations in China to report breaches and may be required to notify individuals and regulators in multiple jurisdictions, numerous languages, and with various form requirements.[5] If the inhouse legal department or outside counsel direct a pen testing exercise for the purpose of providing legal advice, they can help protect the confidentiality of communications by attorney client privilege in the United States and some other jurisdictions, and react more quickly to mitigate exposure relating to unexpected findings.
Also, before companies engage in pen testing, they should first invest into building, documenting, and auditing a robust data security program that can be expected to withstand attacks. Before companies hire external testers, they might instruct their internal information security department to conduct tests, learn from findings, and upgrade security measures before moving to external validation. Companies that start with gap assessments and pen testing before they are ready are far more likely to expose problems and become overwhelmed, which can ultimately prove counterproductive.
Once organizations are ready for a pen testing exercise, they should plan and prepare to avoid several common pitfalls that can undermine the effectiveness of the initiative. One prevalent issue is the inadequate definition of scope. Without a clearly defined scope, pen testers might miss critical systems or focus on less important areas, leading to an incomplete assessment. Clearly outlining which systems, networks, and applications are within scope ensures comprehensive coverage. Another significant pitfall is the lack of clear objectives. Conducting penetration tests without specific goals can result in unfocused efforts that do not address the organization’s primary security concerns. Establishing clear objectives, such as identifying specific vulnerabilities, testing incident response capabilities, or evaluating overall security posture, ensures that the testing aligns with organizational priorities and yields actionable insights.
Effective communication between penetration testers and the organization’s stakeholders is crucial before, during, and after the test. Open and continuous dialogue helps align expectations, clarify methodologies, and ensure that findings are understood and acted upon, enhancing the overall effectiveness of the testing process. Additionally, organizations must not overlook legal and compliance issues associated with penetration testing. Ensuring that all testing activities comply with relevant laws and regulations and that necessary permissions are obtained is critical. Neglecting these considerations can lead to legal repercussions and damage the organization’s reputation. Finally, over-reliance on automated tools can significantly diminish the value of penetration testing. While automated tools are useful for identifying common vulnerabilities, they often miss complex issues that require human insight. Combining automated scanning with thorough manual testing conducted by skilled ethical hackers provides a more robust assessment and helps uncover deeper vulnerabilities that automated tools might miss.
On Balance, Given Potential Pitfalls, Should You Forge Ahead with Pen Testing?
Yes. All organizations should consider pen testing as a path to improving their data security stance. By considering the preparation steps suggested in this article, companies can assess whether they are ready for pen testing, and whether they should proceed with internal testing, a specifically engaged external tester, or a bug bounty program encouraging researcher communities to test at their own initiative. Even if a company realizes it is not ready for pen testing, it can improve its security stance via the preparatory assessment and adopt concrete plans to become ready in due time. By avoiding common pitfalls, organizations can conduct more effective penetration tests, thereby strengthening their cybersecurity posture and better protecting their digital assets.
About Authors:
Nicholas Arico and Lothar Determann and work together Baker McKenzie and advise clients on data security and privacy law compliance and incidents. Nick is a Global Cybersecurity Specialist with over 20 years of experience with the Federal Bureau of Investigation (FBI). He has led and managed a variety of complex cyber investigations and intelligence matters, fostering collaboration and communication across diverse teams to address cutting edge cybersecurity threats, inform executive leadership in the private sector, and support national security objectives. Nick holds numerous industry recognized cybersecurity certifications including CISSP and obtained a Masters degree in Cybersecurity Management and Policy from the University of Maryland, Global Campus.
Lothar has been practicing international data privacy, technology, commercial and intellectual property law at Baker McKenzie in San Francisco and Palo Alto since 1998. He is admitted to practice in California and Germany and teaches Data Privacy Law, Computer Law and Internet Law at Freie Universität Berlin (since 1994) and University of California, Berkeley School of Law (since 2004). He has authored more than 170 articles and treatise contributions, including Healthy Data Protection (http://ssrn.com/abstract=3357990) and No One Owns Data (https://ssrn.com/abstract=3123957), as well as 6 books, including Determann’s Field Guide to Data Privacy Law (5th Edition, 2022), California Privacy Law – Practical Guide and Commentary on U.S. Federal and California Law (5th Ed. 2023), and Determann’s Field Guide to Artificial Intelligence Law (2024).
[1] www.cloudflare.com/learning/security/glossary/what-is-penetration-testing/
[2] See, for example, PCI Security Standards Council’s Penetration Testing Guidelines, https://listings.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf, NIST Special Publication 800-115, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf, OWASP Testing Guide, https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf; Penetration Testing Execution Standard (PTES), www.pentest-standard.org/index.php/Main_Page, and SANS Conducting a Penetration Test on an Organization
https://sansorg.egnyte.com/dl/CqDcmgwKE3.
[3] See, Lothar Determann, California Privacy Law, Chapter 2 D (5th Ed. 2023) and Determann’s Field Guide to Data Privacy Law, Chapter 5 N (5th Ed. 2022).
[4] www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-sentenced-three-years-probation-covering-data.
[5] Determann’s Field Guide to Data Privacy Law Chapter 5 N (5th Ed. 2022).