CompTIA Pentest+ PT0-002 – Section 2: Planning an Engagement Part 5

12. Regulatory Compliance (OBJ 1.1)

When working as a penetration tester, you need to be familiar with a wide range of basic laws and regulations, especially for performing a compliance-based assessment. There are numerous laws and regulations that organizations may be subject to. And it’s our job to help test or prove their compliance with various legal and regulatory requirements based upon their industry. Now in exam objective 1.1, it states that regulatory compliance considerations are important to know. But then it only lists two sub-bullets, GDPR and PCI DSS. That said, I want to take a moment and direct your attention to the bottom of page two of your official CompTIA PenTest+ exam objectives, because this is an area that I usually get a lot of questions from students about when I bring up concepts that aren’t clearly listed as one of the sub-bullets in the exam guide. Now notice, in big red letters, it says, please note, and then it provides us with a paragraph of important, but often overlooked information. It goes on to state this. The list of examples provided in bulleted format are not exhaustive lists.

Other examples of technologies, processes or tasks pertaining to each objective may be included on the exam, although not listed or covered in this objectives document. So what does this mean for us as we’re studying for the exam? Well, it means that even though GDPR and PCI DSS are the only sub-bullets listed, on test day, you could easily get a question about GLBA, SOX, HIPAA, FISMA or other regulatory considerations. When you hear the term regulation or regulatory, this is just a fancy word for a law with some compliance requirements associated with it. So you need to ensure you’re well prepared. And to help you do that, we’re going to do a quick coverage of the main regulatory compliance considerations that you should know as a penetration tester, just in case you get one of them on the exam. And then we’re going to do a bit of a deeper dive into GDPR and PCI DSS, because those two were specifically called out in the sub-bullets. Now you don’t have to memorize everything I’m about to say, but you should be able to do some basic keyword association. For example, if I say HIPAA, you should realize that this affects healthcare data. And so if you’re assessing a doctor’s office, a hospital, a healthcare insurance company, then HIPAA is going to affect you and your engagement. All right, let’s first talk about HIPAA. Now HIPAA is the Health Insurance Portability and Accountability Act, and it’s often commonly just referred to as HIPAA.

Now HIPAA affects healthcare providers, facilities, insurance companies and medical data clearing houses. HIPAA has rigorous requirements for anyone dealing with patient information or computerized electronic patient records or other forms of protected health information, which we call PHI. Now if the organization is processing or storing medical data, they’re going to be affected by HIPAA. Now the Health Care and Education Reconciliation Act of 2010 also affects both healthcare and educational organizations, and it increases some security measures necessary to protect healthcare information, too. SOX or Sarbanes-Oxley was enacted by Congress under the name Public Company Accounting Reform and Investor Protection Act of 2002, but it’s almost always referred to simply Sarbanes-Oxley after the two lead Senators who sponsored this bill and fought for it to become law. If you’re targeting an organization that is a publicly traded U.S. corporation, it is going to be affected by this regulation, and it must follow certain accounting methods and financial reporting.

Failure to follow Sarbanes-Oxley can even result in senior leadership receiving jail time for non-compliance, so it’s a really big deal for public corporations. GLBA or the Gramm-Leach-Bliley Act of 1999 was written to affect banks, mortgage companies, loan offices, insurance companies, investment companies and credit card companies. Basically, it affects financial institutions of all kinds. Now GLBA directly affects the security of personally identifiable information, known as PII. And it prohibits sharing financial information with any third parties as well as providing guidelines for securing that financial information. Next, we have FISMA or the Federal Information Security Management Act of 2002. Now FISMA only affects federal agencies, because it is a federal program. Now each federal agency is going to be required to develop, document and implement an agency-wide information system security program. FISMA’s goal is to create more secure networks across the whole of the U.S. government.

Prior to this act, there was the Computer Security Act of 1987, but FISMA replaced it and added a lot more stringent requirements. Another federally-focused regulation is the Federal Privacy Act of 1974. And this affects any U.S. government computer system that collects, stores, uses or disseminates personally identifiable information, known as PII. Now note, the Federal Privacy Act only places requirements directly upon federal government agencies as they collect information. It does not apply to private corporations. For example, my company, Dion training, does not have to follow the Federal Privacy Act, because we are not considered a U.S. government agency or organization underneath the U.S. government. Next, we have FERPA, which is the Family Educational Rights and Privacy Act. This is a federal law that protects the privacy of student educational records. This regulation applies to all schools that receive funding from the U.S. Department of Education, including colleges and universities within the United States. Next, the Economic Espionage Act of 1996 is going to affect organization with trade secrets and anyone who tries to use encryption for criminal activities. Under this act, even intangible trade secrets, like certain processes or procedures, are considered protected. If anyone tries to steal our trade secrets, they could be prosecuted under this federal law. Next, we have COPPA.

Now COPPA or the Children’s Online Privacy Protection Act is going to impose certain requirements on website owners and online services that are directed to children under the age of 13 as well as other websites or online services that have actual knowledge that they’re collecting personal information online from a child who is under 13 years of age. So if an organization is running a website, like, let’s say, Facebook, and they’re going to be collecting data on their users, they’re going to be subject to COPPA. Now a lot of big tech companies are trying to say they shouldn’t fall under this law, because they’re not targeting people under 13. In fact, when you try to create a regular account on Facebook, for example, it’s going to ask for your birthdate to check your age. And if you’re under 13, it won’t let you create an account without your parents’ consent. But what this really does is just have children lying about their age and selecting a year a little bit older than they are.

That way, they can bypass the age check and create an account anyway. Now with COPPA, the fines are going to come from the Federal Trade Commission or FTC anytime there’s a violation, and they charge about $40,000 per violation. Now this amount of money could bankrupt smaller operators and small businesses, but for a company like Facebook or Google or TikTok, this isn’t even a blip on their radar. COPPA tends to be a pretty controversial regulation, actually, because it puts a ton of extra requirements on companies that are trying to serve younger markets with educational content, too. So keep this in mind, if you’re dealing with an organization that its products that are going to be used by younger users, like a toy company, for example, COPPA is going to apply to them. All right. Now it’s time for us to dive into GDPR and PCI DSS. First, we’re going to take a look at GDPR. Now GDPR or the General Data Protection Regulation is one of the biggest requirements and one of the best requirements in terms of consumer privacy protections. GDPR is a law that was created by the European Union, and it places specific requirements on how consumer data must be protected.

This regulation applies to any organization or company that does business with residents of the European Union and Britain. GDPR states that personal data cannot be collected, processed or retained without the individual’s informed consent. Now when I talk about informed consent, this means that the data must be collected and processed only for the stated purpose, and that purpose has to be clearly described to the user in plain language and not in some kind of legal jargon. So if you go to a website, and they say, please enter your name, your email and your home address so that we can sell you this product and then deliver it to your house, well, guess what? That is the stated purpose. That doesn’t mean they can now send you junk mail every single week to your home address. That doesn’t mean they can now send you junk mail every single week to your home address or to your email. They can’t try and just use this to get you to buy more stuff. That wasn’t part of their privacy policy that you accepted. Now additionally, the company must get your permission for each separate piece of data that they want to collect on you.

For example, you could provide permission to collect your IP address for analytics, but not give them permission to collect your email address for marketing. Basically, GDPR says, you have to be upfront with this and also provides a provision in the law to ensure a user has the right to withdraw their consent at any time. It also gives them the ability to inspect, amend or erase any data that’s held about them in that organization’s database. This is referred to as the right to be forgotten. If you’re a resident and citizen of the European Union, you can call the company or fill out their form online and say, I want you to forget everything you’ve ever known about me. And they have to go into their database and scrub you out of it. That is part of this law. So if you’re a European Union citizen, GDPR gives you a lot of protections. But if you’re an American citizen, we don’t have those same rights. So if I’m sitting in Florida, and I want to be forgotten, I can’t do it. That’s not just something that the companies have to do for me.

Now I can request it, but by law, they are not required to do it, because I’m an American citizen sitting in Florida. Now one of the most unique things about GDPR is that it actually applies globally to all companies and organizations that are performing business with European Union citizens. So even if the company doesn’t have a physical boundary inside the European Union, if you’re going to be doing business with citizen there, then you have to meet the compliance requirements of GDPR. These rules are something that a penetration tester might be asked to validate to make sure the organization is in compliance with it during an engagement. Additionally, GDPR states that businesses must only collect the minimal amount of data that’s needed to interact with that website. So there’s a lot less data there that could be exposed in the event of a data breach if you’re following GDPR. Now if a data breach does occur, the company must notify all of its customers within 72 hours.

GDPR also states that if your company has over 250 employees, it’s going to be required to audit their systems and take rigorous steps to protect any data stored within their system or in the cloud. Failure to comply with GDPR’s requirements can lead to fines or fees that are levied upon your organization. If you’re going to perform an engagement, and you want to include a GDPR check, there’s a great checklist over at https://gdpr.eu. And you can go there and download it and then use that to test the strength of the organization’s infrastructure against vulnerabilities known to cause data breaches. Now the last thing we’re going to cover is PCI DSS. Now PCI DSS is technically not a regulation, it’s a standard. Standards don’t have the enforcement that laws and regulations do. But instead, they’re created by specific industries, and they’re followed as a form of best practice. Now some standards, though, do have penalties associated with them for non-compliance, and PCI DSS is one of them. Because of this, a lot of penetration testers do a lot of work with PCI DSS to ensure that companies and organizations are in compliance with its requirements.

PCI DSS or the Payment Card Industry Data Security Standard is an agreement that any organization that collects, stores or processes credit card customer information has to abide by. This is not actually a law or regulation, but instead, it’s a contractual agreement and a standard that must be followed if the organization wants to handle credit card transactions. The PCI DSS standard specifies the controls that must be in place by the organization to minimize vulnerabilities, employ strong access control and consistently conduct testing and monitoring of their infrastructure. PCI DSS is going to apply equally to both e-commerce stores and traditional brick and mortar stores. To protect cardholder data, the organization must create and maintain a secure infrastructure, using dedicated appliances and software to monitor and prevent attacks. They also must employ best practices, such as changing default passwords and training users not to fall victim of phishing campaigns.

They also need to continuously monitor for vulnerabilities and use updated anti-malware protections. And finally, they must provide strong access control mechanisms and utilize the concept of least privilege. Now if an organization fails to comply with these standards, they can actually face substantial fines or even lose their ability to take credit cards. And for an e-commerce company, that would completely demolish their ability to do business. So while PCI DSS isn’t a law or regulation, it is followed extremely closely by most organizations to ensure they remain compliant. Now PCI DSS requires a consistent process of assessment, remediation and reporting when using their prescribed controls to secure an organization and maintain the highest levels of security. All organizations that process credit cards are going to be categorized under four security levels based upon the volume of transactions that they perform in a given year. Level 1 is for large merchants, and these are merchants who process over six million transactions per year.

These level 1 merchants must have an extra auditor perform their PCI DSS assessment. And the auditor must be an approved Qualified Security Assessor, known as a QSA. Now a QSA is actually a designation for authorization of independent security organizations that are certified to the PCI DSS standard. Now this is not a certification that you or I as individuals can obtain. It’s only assigned to the organization. Now a level 1 merchant must also complete a report on compliance, known as an ROC. This is going to detail an organization’s security posture, environment, systems and protection of cardholder data. Level 2 is going to be for merchants who process between one and six million transactions per year. A level 2 merchant must also submit a report on compliance, just like a level 1 merchant does. But a level 2 merchant does have the ability to not have to use an external auditor to perform that assessment. Level 2, level 3 and level 4 merchants can instead conduct a self-test that proves they’re taking the active steps to secure their infrastructure. Level 3 is for merchants who process between 20,000 and one million transactions per year. And level 4 is for merchants who process less than 20,000 transactions per year. Now PCI DSS also requires vulnerability scans that have to be conducted routinely. These should be conducted every 90 days, and after any major change inside of your infrastructure.

13. Professionalism (OBJ 1.3)

Most people know that hacking is a federal crime; therefore, it’s important for a penetration tester to be aware of the laws that deal with hacking because penetration testing is effectively hacking. There are local, state, and federal laws that you have to understand before starting your career as a penetration tester. Laws also vary from country to country, so if you’re working on a penetration test for an international organization, you also have to check the local laws where you’re conducting the attack from as well as those of the country that the target organization is located within. Remember, always consult your attorney before you accept and attempt a penetration testing assignment because if you do this wrong and you don’t have the right legal for framework in place, you could be arrested under local, state, federal, or even another country’s laws. Plain and simple, talk to a lawyer and do everything legally within the bounds of the law. While penetration testing is hacking, it is more importantly hacking with permission.

This is actually authorized under the law in most jurisdictions. Now there are two main laws that affect penetration testers under the law inside the United States. Under United States Code Title 18, Chapter 47, Section 1029 and 1030, you’re going to find these two laws. Now for the PenTest+ exam, you don’t have to memorize these laws, but as a penetration tester, it is incredibly important to understand what these two laws are. Now the first law, known as Section 1029, is going to be focused on fraud and relevant activity with access devices. It covers any technical or non-technical means of trying to bypass an authorization system. So as a penetration tester, you might be using a password cracking tool in order to test password strength of a company’s password security policy. Technically, under Section 1029, you are breaking the law because you’re attempting to bypass an authentication system. Now, if you don’t have permission to test these passwords, you could be charged and sent to jail as a computer hacker.

Again, this is why it is vitally important to have permission from the organization in writing as part of your contract, rules of engagement, and other planning and scoping documents. Once the company invites you in and gives you permission, then it’s no longer considered breaking the law; it now becomes penetration testing, not illegal hacking. The second law is known as Section 1030, which is focused on fraud and related activity with computers. This is loosely defined to include any device connected to a network. So if you own a smart television and it has a network connection to access Netflix, it is considered a computer for the purposes of this law. The same holds true for wearable devices like fitness trackers, smart watches, and even health information devices. Again, if we have permission in writing, then we can attempt to penetrate these devices; otherwise, it’s considered an illegal action.

Now, there is one really interesting part of Section 1030 that I think you need to be aware of. This component has the language of the law that speaks to the act of exceeding one’s access rights. Now, for example, let’s say an employee uses their authorized username and password to do things that go beyond the scope of their job. This is technically considered computer hacking under this section of the law and would be considered a criminal act. So if a system administrator uses their authorized username and password to read other people’s email, this is actually a violation of that law, and that person could go to jail. Employees, even those with a valid username and password issued to them from their company, are not authorized to use it in whatever way they want to. If they do, they could be considered an insider threat and technically they are breaking the law and are conducting computer hacking. Now, with that behind us, let’s resume our coverage of the PenTest+ exam and talk about some legal concepts that you need to be aware of.

Now, before you conduct a penetration test, as I said, it is imperative that you receive written permission from the target organization. This is what prevents a penetration tester, also known as an ethical hacker or authorized hacker, from going to prison. Ethical hackers and penetration testers are separated from criminal unauthorized hackers by one simple thing, and that is permission. When we get this written permission in our contract or our scope of work, we call this our get-out-of-jail-free card because effectively that’s really what it is. Let’s pretend that you are contracted to conduct a penetration test of Sony Pictures, but shortly after the FBI shows up at your front door, claiming that you hacked Sony Pictures. That would be a pretty bad day, right? Well, if you can provide them a copy of your signed written permission, usually found in your contract, your scope of work, or rules of engagement, you’re not going to be held liable for those actions.

However, if you hacked Sony Pictures without their permission, this is considered a computer crime under Section 1029 and 1030 under the US Code and you could be heading off to prison. Now, as many organizations have migrated to the cloud, the need for gaining third-party authorization has also increased dramatically. For example, let’s pretend that I’m going to hire you to assess my company’s file storage solutions. During our planning and scoping discussions, you learn that I have an internal network attack storage server in addition to a cloud-based solution. Now, in our discussions, we have scoped the assessment to include both the onsite file server solution and our cloud-based one. So we sign a contract, you head back to your office. Now, can you legally begin your assessment of our file storage solutions? Well, no, you can’t because I don’t have the ability to give you authorization to conduct a penetration test on my cloud-based one because I don’t own those servers. If you began your assessment right now, you would actually be hacking my cloud service provider. And if you don’t get permission from them before you begin your penetration test, well, guess what?

You could be found guilty of criminal hacking and you could go to jail. Now, it’s not just my permission that you need, but you also need to obtain the permission of my cloud service provider as well. But don’t worry because cloud providers all know that penetration tests have to happen for compliance and regulatory reasons. To obtain their permission, simply do an online search for the cloud provider’s name and the phrase penetration testing permission. You’re going to find quickly that they have the proper online form for you to fill out to let them know your scope, your timeline, and the duration of the assessment. This allows the cloud provider to capture some of your details and notate that there will be an ongoing penetration test so that their own security teams are aware of that. Remember, you must get permission from the owners of the servers. So if the target organization is using cloud-based resources, then you have to obtain permission from both the target organization and the cloud service provider.

During your penetration test, you may also find a lot of confidential information about your target organization. It’s going to be your responsibility to safeguard that information. And if you’re able to access an area of their network that you think you shouldn’t be in, it’s also important that you notify the trusted agent inside that organization immediately. You also want to be careful not to have confidential information leak out onto the internet because that would be considered an unauthorized disclosure by accident and then your company may be held liable. Again, make sure your lawyer has properly drawn up your contracts to ensure that your liability is limited in case of accidental disclosures to minimize your exposure to fees and fines in this area. Additionally, it’s important for you to protect the information you gather about the vulnerabilities in that organization’s network.

For example, you’re going to find major vulnerability sometimes. And if you find a major vulnerability in a public-facing server, you want to inform the trusted agent in that organization immediately. You should also keep that information close hold within your team and the trusted agent within that organization to ensure that only privileged personnel, such as the IT director and their staff, are informed of this major vulnerability so it’s less likely to be exploited before it can be remediated. To ensure confidentiality and professionalism in your penetration testing team, each of your members should have a background check conducted on them. Now being a penetration tester is going to put you into a trusted position, so there’s going to be organizations that hire you, and they need to know that you are trustworthy. They might ask for copies of credentials, your certifications, and your educational transcripts to ensure you have the knowledge required to perform the work of a penetration tester.
But they’re also going to conduct a background check on you that includes criminal history, driving history, and a credit check. If you have a criminal record or felony conviction, this is going to be a disqualifier for a lot of positions with penetration testing organizations but not necessarily all of them. Now as your team conducts its penetration tests, sometimes you’re going to discover that the target organization may have already been breached by a real world threat actor. If you find evidence of a real attack, you should immediately stop what you’re doing and report it to a trusted agent within the target organization.

Alternatively, if you make a mistake and you scan the wrong IP range or network, you also need to stop and immediately notify your team leader because scanning the wrong target could lead to legal issues for your team. Finally, let’s talk about fees, fines, and criminal charges. As a penetration tester, you are in a risky business if you don’t have all your paperwork and processes in the proper order. Remember, you always want to get your get-out-of-jail-free card up front and discuss your engagements thoroughly with your clients before beginning. During your planning, you need to think through different scenarios as well, especially if you’re going to be doing physical penetration testing. For example, if I hired you to conduct a physical penetration test in my office and the security guard catches you in the act, what is going to happen? Are they going to call the police? Are they going to try to tackle you to the ground?

If you’re going to be doing physical penetration testing, I recommend you always have your way out planned in advance. For example, if you get caught, do you have the head of security on speed dial? Do you have a letter signed by the CEO stating that this was an authorized test or something else entirely? Whatever it is, you need to plan for it. And as you plan and then scope the assessment, you need to make sure the process is clearly understood by all of those who need to be involved. For example, if the statement of work states “To conduct physical penetration testing of our exterior defense says using various means,” that is probably a bit too generic. Instead, you might state something like, “Conduct lock picking,” or, “Fence jumping,” or whatever it’s going to be.

This makes it much clearer, and if you get caught, when you pull out that get-out-of-jail-free card, that permission letter, people are going to understand why you’re there. Now, remember, the thing that separates us from malicious actors is permission. Get permission throughout the entire process and especially before any major events, such as a DDoS attack, or a stress testing, or physical penetration test. If you don’t, you could face fines, fees, or even criminal charges.

• Category: Uncategorized