Write review on this article with 2 references in APA format. (jonathan) Penetration testing is a sensitive area for most organizations.
Depending on the size of an organization, this can be something that occurs on a regular basis using automated methods such as a vulnerability scanner, or it can be something that occurs in regular increments such as on an annual basis.
In many organizations, this process is a hybrid of the two. However it is done, statistics show that companies need to regularly be performing such tests, to ensure their security.
According a whitepaper put out by Whitehat Security, 55% of retail websites, 50% of healthcare websites, and 35% of financial websites remain in a state of constant vulnerability throughout the year (Whitehat Security, 2015).
This is not only alarming from a statistical standpoint, but also stands in stark contrast to the biblical principle of wise stewardship. While penetration tests are certainly a necessity for every organization, the decision to perform these types of services in an unsanctioned manner brings many moral and ethical questions along with it.
Beyond that, an unsanctioned penetration test can potentially cause outages to production systems, inadvertently expose sensitive data, and possibly bring about more harm than good, regardless of the individual's motivations and intentions. Additionally, the tester could face potential legal repercussions should they be discovered, and/or cause damage to the institution being tested.
According to the Computer Fraud and Abuse Act of 1986, it is a Federal crime to even exceed authorized access on any computer system (CFAA, 1986). While this Federal statute is terribly dated and increasingly irrelevant to the modern technological landscape, the fact remains that a user could potentially face criminal charges under CFAA. As such, one should exercise extreme caution and discernment when performing any kind of penetration test.
My personal stance on the issue is that a responsible party, such as a CISO, Director or Vice President within an organization, should give verbal authorization at the very least, before a penetration test is to be performed. Many would no doubt take this one step further and request written approval prior to performing a penetration test.
While all of us have differing opinions, the Bible reminds us in Hebrews 13:17 that we are to obey those in authority over us (Hebrews 13:17, NASB).
Doing so may go against our grain and take extra time, but it is always a safe bet to get approval. References Whitehat Security. (2015). Website security statistics report.