What’s the big deal with consent forms?While consent can be a tedious process, it is one of the most important parts of a test and is an essential protection that allows the penetration test to take place. Without consent, the penetration tester is breaking the Computer Misuse Act and could also be liable under various other Acts, depending on data which is discovered during the test. The best way of managing consent is to begin the process early and communicate with the testing provider. Make sure you have an accurate inventory of targets as well as an understanding of how your applications function. Knowledge of any hosting provider requirements will also ensure you are able to speak to your testing provider and receive the correct information in a timely manner.
What are my hosting provider requirements?It is common nowadays to see businesses moving their infrastructure into the cloud, most prominently with web and mail servers. Hosting such servers with third-parties, while convenient and potentially cheaper, means you’re subject to their terms and conditions when it comes to usage. Some companies, such as Amazon Web Services (AWS) or Rackspace, require their own consent forms to be completed prior to any testing taking place. This is because the environment is shared amongst several companies, and exploitation of a server could affect entities that are independent of the organisation being tested. Problems arise when companies are not aware of the third-party hosting requirements. The hosting companies require a lead time to process and approve their own consent forms, as they provide a human response rather than an automated ticket service. If you have scheduled a penetration test at short notice and failed to notify the relevant parties beforehand, you may miss your testing window.
What information do I need to provide?The information you’ll typically need to complete a hosting provider consent form is as follows:
- Start and end date of testing
- Target IP addresses (and potentially hostnames)
- Source IP addresses
- The contact information of the penetration tester and company
- Description of the penetration test
- List of tools to be used
What else can I do to prepare?As penetration test companies will have different timelines when it comes to checking ownership of servers and notifying you about third-parties, the best thing to do is keep an asset inventory and make yourself aware of each hosting provider’s requirements. This way, you can inform the testing company at the beginning of the engagement and avoid any delays further down the line. Understanding how your infrastructure and applications function will also help to prevent potential consent issues. A simple example is where a website redirects to a different site for authenticating users. If this additional site has not been included on the consent form, it will not be tested, and you will either have delays while processing a new form or have an incomplete test. A similar problem also occurs during infrastructure tests where some targets are omitted from the original scope because the client did not have a complete list to hand.