Chapter 4 Exercises: Legal and Regulatory Framework

Exercise 1: CFAA Provision Matching (Beginner)

For each of the following scenarios, identify which section of the CFAA (if any) would apply. Explain your reasoning.

a) A disgruntled employee uses their legitimate database access to download the entire customer list before quitting. b) A security researcher scans a company's public-facing website for SQL injection vulnerabilities without permission. c) An attacker sends a phishing email to trick an employee into revealing their VPN credentials. d) A penetration tester accidentally crashes a production server during an authorized test. e) A researcher emails a company saying "Fix this vulnerability in 30 days or I will publish the details."

Exercise 2: International Jurisdiction Analysis (Beginner)

You are a penetration tester based in the United States. Your client is a UK-based company with servers hosted in Germany and customers primarily in Japan. Identify at least four different legal jurisdictions and specific laws that could apply to your engagement. For each, explain what type of activity might trigger that jurisdiction's laws.

Exercise 3: Authorization Letter Drafting (Beginner)

Draft a "get out of jail free" letter for a physical penetration test of ShopStack's office building. The letter should be no more than one page and should include all essential elements discussed in Section 4.3.2. Have a classmate review your letter and identify any gaps or weaknesses.

Exercise 4: Scope Document Analysis (Intermediate)

The following scope definition was provided for a penetration test: "The tester is authorized to test ShopStack's web application and supporting infrastructure." Identify at least five problems or ambiguities with this scope definition, and rewrite it with sufficient specificity.

Exercise 5: Cloud Authorization Puzzle (Intermediate)

ShopStack's infrastructure includes the following components: - Web application hosted on AWS EC2 instances - Database on AWS RDS - CDN provided by Cloudflare - Payment processing through Stripe - User authentication through Auth0 - Email notifications through SendGrid - Monitoring via Datadog

For each component, determine: (a) whether you need separate authorization to test it, (b) what restrictions apply, and (c) what should be explicitly excluded from scope. Document your answers in a table format.

Exercise 6: Rules of Engagement Development (Intermediate)

Write a complete Rules of Engagement document for a red team assessment of MedSecure Health Systems. Your ROE should address: - Authorized and prohibited actions - Testing windows and blackout periods - Social engineering limitations (considering HIPAA implications) - Physical testing boundaries - Emergency procedures - Data handling (especially PHI) - Escalation procedures

Your document should be 2-3 pages long.

Exercise 7: Bug Bounty Policy Analysis (Intermediate)

Find three real bug bounty programs on HackerOne or Bugcrowd (you may choose any three programs). For each program, analyze: a) The scope definition: Is it clear and specific? b) The safe harbor provision: How strong is the legal protection? c) The rules: Are there any rules that you find overly restrictive or ambiguous? d) The rewards: How do the rewards compare to Zerodium's published prices for similar vulnerability categories?

Write a 500-word comparative analysis of the three programs.

Exercise 8: Van Buren Analysis (Intermediate)

Read the Supreme Court's opinion in Van Buren v. United States (593 U.S. 374, 2021). In 500-750 words: a) Summarize the facts of the case b) Explain the Court's interpretation of "exceeds authorized access" c) Analyze how this interpretation affects penetration testers and security researchers d) Identify at least one scenario where the Van Buren ruling leaves the law ambiguous

Exercise 9: GDPR Data Handling Scenario (Intermediate)

During a penetration test of a European e-commerce company, you discover a SQL injection vulnerability that gives you access to a database containing customer names, addresses, email addresses, and payment card information. Describe the exact steps you should take, considering GDPR requirements, to: a) Document the finding b) Handle the data you have accessed c) Report the finding to the client d) Ensure compliance with data protection requirements

Exercise 10: State Law Comparison (Intermediate)

Research the computer crime statutes of three U.S. states (choose states from different regions). For each state: a) Identify the relevant statute(s) b) Describe how the state defines "unauthorized access" c) List the penalties for unauthorized computer access d) Note any provisions that specifically address or exempt security research

Create a comparison table and write a 300-word analysis of how these differences could affect a penetration tester operating across state lines.

Exercise 11: Insurance Coverage Scenario (Intermediate)

You are starting a solo penetration testing consultancy. Research and compare at least two professional liability insurance providers that cover cybersecurity testing activities. For each: a) What types of activities are covered? b) What is excluded? c) What are the coverage limits? d) What are the approximate premiums?

Write a recommendation for which policy you would choose and why.

Exercise 12: Contract Negotiation Role Play (Advanced)

Work with a partner. One person plays the penetration testing firm, the other plays the client (MedSecure Health Systems). Negotiate the following contract terms: - Indemnification clause - Limitation of liability - Data handling provisions (considering HIPAA) - Scope amendments process - Incident response procedures

Document the agreed-upon terms and identify any points of contention that required compromise.

A multinational corporation hires your U.S.-based penetration testing firm to test its global infrastructure. The company has offices and servers in the following countries: United States, United Kingdom, Germany, China, and Australia. For each country: a) Identify the primary computer crime statute b) Determine whether your client's authorization is sufficient under that country's law c) Identify any restrictions on testing techniques (e.g., Germany's strict tool provisions) d) Assess the risk of criminal prosecution if something goes wrong

Write a 1,000-word legal risk assessment with recommendations.

Exercise 14: Incident Response During Testing (Advanced)

During a penetration test of ShopStack's network, you discover evidence that the network has already been compromised by a real attacker. Specifically, you find: - A web shell on the web server - Database exfiltration logs showing customer data being sent to an external IP - A persistence mechanism in the Windows registry

Outline your complete response plan, including: a) Immediate actions b) Communication with the client c) Evidence preservation d) Legal obligations (consider breach notification laws) e) Impact on the ongoing penetration test f) Documentation requirements

Exercise 15: Ethical Dilemma Resolution (Advanced)

For each of the following ethical dilemmas, identify the legal issues, describe the potential consequences of different courses of action, and recommend a course of action with justification:

a) You are conducting an authorized web application test when you discover that the application stores passwords in plaintext. The client's competitor uses the same open-source application. Should you notify the competitor?

b) During a physical penetration test, you successfully access a server room and discover that the door was unlocked due to a broken lock that the building maintenance team knows about but has not fixed. The building security guard stops you, and despite your authorization letter, insists on calling the police. What do you do?

c) A client asks you to conduct a "penetration test" of a competitor's website to "assess the competitive threat." They offer triple your normal rate. How do you respond?

d) You discover a critical zero-day vulnerability in a widely used firewall product during a client engagement. Your client asks you not to report it to the firewall vendor because it would reveal that the client's network uses that firewall. What do you do?

Create a complete legal package for a penetration testing engagement of a fictional healthcare company. Your package should include: a) Non-Disclosure Agreement (mutual NDA) b) Master Service Agreement with terms and conditions c) Statement of Work d) Rules of Engagement e) Authorization Letter f) Data Handling Addendum (HIPAA considerations)

Each document should be realistic and comprehensive. This exercise is designed to be completed over several sessions and may be used as a portfolio piece.

Exercise 17: Legislative Comparison Essay (Advanced)

Write a 1,500-word essay comparing the CFAA and the UK Computer Misuse Act. Your essay should address: a) Historical context and legislative intent b) Key definitions (particularly "authorization" and "computer") c) Criminal provisions and penalties d) Civil liability provisions e) Effectiveness in addressing modern cybersecurity threats f) Proposed reforms and their merits

Include at least five academic or primary legal sources.

Exercise 18: Wassenaar Impact Assessment (Advanced)

Research the Wassenaar Arrangement's provisions on intrusion software and export controls. Write a 1,000-word analysis addressing: a) How the original 2013 provisions would have affected the following activities: developing Metasploit modules, sharing Nmap scripts on GitHub, presenting vulnerability research at an international conference, selling penetration testing services to foreign clients b) How subsequent revisions have addressed the security community's concerns c) Whether current export controls adequately balance national security interests with the need for open security research

Research one of the following legal cases and prepare a 750-word case brief: - United States v. Aaron Swartz (2011) - United States v. Andrew Auernheimer (2013) - Sandvig v. Barr (D.D.C. 2020) - hiQ Labs v. LinkedIn (2022)

Your brief should include: facts, legal issues, court's reasoning, holding, and implications for security researchers.

Exercise 20: Future of Cybersecurity Law (Advanced)

Propose a model statute for regulating penetration testing that addresses the shortcomings of existing laws. Your statute should: a) Define key terms (authorization, penetration testing, security research, protected computer) b) Establish clear safe harbor provisions for authorized testing c) Address bug bounty and vulnerability disclosure d) Balance national security interests with research freedom e) Include international considerations

Write the statute in legislative style (you may reference existing laws as models) and include a 500-word explanatory note justifying your choices.