Chapter 4 Quiz: Legal and Regulatory Framework

Multiple Choice Questions

1. Which U.S. federal statute is the primary law governing computer crime? a) The Electronic Communications Privacy Act (ECPA) b) The Computer Fraud and Abuse Act (CFAA) c) The Digital Millennium Copyright Act (DMCA) d) The Sarbanes-Oxley Act (SOX)

2. The Supreme Court's Van Buren v. United States (2021) decision clarified the CFAA by holding that: a) All unauthorized access to computers is a felony b) "Exceeds authorized access" applies only to areas of a computer a person is not entitled to access, not to using authorized access for unauthorized purposes c) Security researchers are exempt from the CFAA d) Bug bounty participation constitutes authorization under the CFAA

3. Under the UK Computer Misuse Act 1990, Section 3ZA (added by the Serious Crime Act 2015) carries a maximum penalty of: a) 2 years imprisonment b) 5 years imprisonment c) 10 years imprisonment d) Life imprisonment (for acts creating risk of loss of life or national security damage)

4. Which of the following is NOT a required element of a penetration testing authorization letter? a) The name(s) of authorized testers b) A 24/7 emergency contact number c) The tester's professional certifications d) The dates and times during which testing is authorized

5. When conducting a penetration test of systems hosted on AWS, a penetration tester must: a) Obtain pre-approval from AWS for all testing b) Comply with AWS's penetration testing policy, which prohibits certain activities like DNS zone walking and denial-of-service attacks c) Only use AWS-approved testing tools d) Test only during AWS-designated maintenance windows

6. The Budapest Convention on Cybercrime is significant because it: a) Created a global court for cybercrime prosecution b) Is the first international treaty on crimes committed via the internet c) Prohibits all penetration testing across international borders d) Established the CVE numbering system

7. A penetration tester discovers that their client's authorization letter was signed by a department manager who does not have the legal authority to authorize testing of the company's network. What is the most appropriate course of action? a) Proceed with testing, since the letter appears legitimate b) Stop testing immediately and work with the client to obtain authorization from someone with proper authority c) Continue testing but limit scope to low-risk activities d) Contact law enforcement to report the unauthorized authorization

8. Under GDPR, if a penetration tester inadvertently accesses personal data of EU residents during an authorized test, they should: a) Include the data in their report as evidence b) Minimize data access, securely delete the data as soon as possible, and comply with data handling provisions c) Immediately notify the EU Data Protection Authority d) Ignore the data since the testing was authorized

9. The DOJ's 2022 CFAA policy regarding security research: a) Changed the CFAA statute to exempt security researchers b) Is a prosecutorial policy that guides federal charging decisions but does not change the law c) Makes all bug bounty research legally protected d) Only applies to researchers with professional certifications

10. Which type of insurance is most important for a penetration testing firm? a) General liability insurance b) Workers' compensation insurance c) Professional liability / Errors and omissions (E&O) insurance d) Property insurance

Short Answer Questions

11. Explain the difference between a Statement of Work (SOW) and Rules of Engagement (ROE) in the context of a penetration testing engagement. Why are both documents necessary?

12. A penetration tester conducting an authorized test of ShopStack's web application discovers a critical SQL injection vulnerability. While testing the vulnerability, the tester accidentally accesses a database containing customer credit card numbers. Describe the legal and procedural steps the tester should take, considering both CFAA implications and PCI DSS requirements.

13. Describe three specific challenges that arise when conducting penetration tests across international borders. For each challenge, propose a practical solution.

14. The Coalfire Iowa courthouse incident demonstrates the importance of understanding who has the authority to authorize testing. Identify three factors that penetration testers should verify when assessing whether an authorizing party has proper authority, and explain why each factor matters.

15. Explain the concept of "scope creep" in penetration testing and describe three specific measures that a testing team can implement to prevent it. Include an example scenario where scope creep could lead to legal consequences.

16. Compare and contrast a Vulnerability Disclosure Policy (VDP) with a Bug Bounty Program. Under what circumstances might an organization choose to implement a VDP without a bug bounty component?

17. A client approaches your penetration testing firm and asks you to begin testing immediately, promising to "get the paperwork done later." Explain why this is unacceptable and describe the minimum documentation you would require before beginning any testing activities.

18. Describe the Wassenaar Arrangement's impact on security research tools. How have U.S. implementation efforts evolved since 2013, and what is the current status of export controls on "intrusion software"?

Answer Key

1. b) The Computer Fraud and Abuse Act (CFAA)

2. b) "Exceeds authorized access" applies only to areas of a computer a person is not entitled to access, not to using authorized access for unauthorized purposes

3. d) Life imprisonment (for acts creating risk of loss of life or national security damage)

4. c) The tester's professional certifications — While certifications may be relevant to the engagement, they are not a required element of the authorization letter itself.

5. b) Comply with AWS's penetration testing policy, which prohibits certain activities like DNS zone walking and denial-of-service attacks — AWS eliminated the requirement for pre-approval in 2019 but still maintains policy restrictions.

6. b) Is the first international treaty on crimes committed via the internet

7. b) Stop testing immediately and work with the client to obtain authorization from someone with proper authority — Testing under improperly authorized conditions creates legal risk for the tester.

8. b) Minimize data access, securely delete the data as soon as possible, and comply with data handling provisions

9. b) Is a prosecutorial policy that guides federal charging decisions but does not change the law

10. c) Professional liability / Errors and omissions (E&O) insurance

11. The SOW is a business and legal contract that defines the overall engagement scope, deliverables, timeline, pricing, and contractual terms. The ROE is an operational/technical document that provides detailed guidance for the testing team's day-to-day activities, including specific authorized and prohibited actions, escalation procedures, and communication protocols. Both are necessary because the SOW provides the legal framework and business agreement, while the ROE provides the practical guidance that testers need to execute the engagement safely within legal boundaries.

12. The tester should: (1) Immediately stop accessing the credit card data and document what was accessed, when, and how. (2) Notify the client's designated contact per the emergency escalation procedures in the ROE. (3) Handle the data in accordance with the contract's data handling provisions—do not copy, store, or transmit the card data. (4) Document the finding in the report with sufficient detail to demonstrate the vulnerability without including actual card numbers. (5) Advise the client of potential PCI DSS breach notification obligations. (6) Securely delete any captured data.

13. Three challenges include: (1) Multiple jurisdictions' laws apply simultaneously—mitigate by obtaining legal advice in each jurisdiction and ensuring the SOW addresses applicable laws. (2) Data protection laws (GDPR, etc.) apply to personal data regardless of tester location—mitigate by including data processing agreements and minimizing personal data access. (3) Export control restrictions may apply to testing tools—mitigate by verifying Wassenaar compliance and using locally available tools where possible.

14. Three factors: (1) Organizational authority: Verify the person's role and whether it includes authority over IT security decisions for the systems in scope. (2) Property ownership/control: Verify that the authorizing party controls the physical and logical assets being tested (as the Coalfire case showed, the court administrator did not control county-owned buildings). (3) Regulatory authority: In regulated industries, verify that authorization complies with relevant regulations (e.g., HIPAA for healthcare, PCI DSS for payment systems).

15. Scope creep is the gradual expansion of testing beyond the originally authorized scope. Three prevention measures: (1) Maintain a written scope reference accessible to all testers during the engagement. (2) Require formal written approval (email minimum, scope amendment preferred) before expanding scope. (3) Log all testing activities with timestamps and IP addresses to demonstrate compliance. Example: A tester discovers a vulnerable system at an IP address adjacent to the authorized range and tests it without authorization, leading to a CFAA complaint from the system's actual owner.

16. A VDP provides a mechanism for anyone to report vulnerabilities and commits the organization not to pursue legal action against good-faith reporters. A bug bounty program adds financial rewards. An organization might choose a VDP without bounties when: budget constraints prevent offering meaningful rewards; the organization is in a regulated industry where bounty payments raise compliance questions; or the organization wants to establish a baseline reporting mechanism before committing to a bounty program.

17. Testing without documentation is unauthorized access under the CFAA and equivalent laws. Minimum documentation required: (1) Signed contract or master service agreement with indemnification and liability provisions. (2) Statement of work defining scope, methodology, and timeline. (3) Written authorization letter signed by someone with verified authority. (4) Rules of engagement. (5) Verification of insurance coverage. No amount of verbal assurance substitutes for written authorization.

18. The Wassenaar Arrangement added "intrusion software" to its controlled items in 2013, raising concerns that security tools and exploit code could become subject to export controls. Initial U.S. implementation proposals were criticized for being overly broad, potentially criminalizing sharing of PoC code and penetration testing tools. After industry pushback, the Commerce Department revised its proposals in 2017 to narrow definitions and exempt legitimate security research. The provisions continue to affect researchers who develop or distribute exploit code internationally, though practical enforcement has been limited.