Pen testing is the legal form of hacking. In the United States pen testing is a form of ethical hacking with a contract between the ethical hacker and the customer.
This defines the scope, procedures, and any other details that the customer wants to include when conducting penetration testing services on their infrastructure.
This allows for what is normally illegal activity to take place as it is a private, agreed-upon arrangement to test the company before a malicious attacker strikes.
What is the federal law for penetration testing? And is it illegal to do penetration testing in California?
Pen testing is legal in all fifty US states, including California.
Federal law covers the illegal aspect of hacking in the 1986 Computer Fraud and Abuse Act (CFAA). The significant points are:
- (a) Whoever – (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
- (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains – (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); (B) information from any department or agency of the United States; or information from any protected computer if the conduct involved an interstate or foreign communication;
- (3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
- (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
- (5) (A) (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and (B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused) – (i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (iii) physical injury to any person; (iv) a threat to public health or safety; or (v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;
- (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if – (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; [1] “r”.
- (7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection of this section. (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection of this section.
How to do penetration testing legally
Based on the CFAA, the legal way to do pen testing is with authorization from the party being tested and with the intent to maintain whitehat or ethical practices.
It is important to note that just because a pen tester is authorized to test something, they still must act in the best interests of the client.
No testing should be done on any system that the client has not included in the scope, no matter the reason.
No sensitive data should be leaked or improperly stored by the tester.
What is illegal and what is legal in regards to hacking and/or penetration testing
The illegal aspects of pen testing focus mainly around data leakage, backdoors, and damage.
A malicious tester might use sensitive data for their own personal gain or leak it on the dark web.
They might leave a backdoor in the systems as a way to get back in later. Or they could simply damage the company in an attempt to do harm.
Any legal activity would do no such things.
Which penetration testing tools are legal
Most pen testing tools are legal to use, as long as the tester is authorized to use them in that way.
This means a tester should know what the tool does before using it and test it to avoid unintended consequences.
Kali Linux has a great list of tools, all of which are legal and generally safe to use in a pen test.
