1
00:00:01,650 --> 00:00:03,150
Laws and ethics.

2
00:00:04,660 --> 00:00:09,950
So we get to legal issues that surround information security, certainly not a new topic.

3
00:00:10,750 --> 00:00:17,740
All parties of the security community actually try to find the right balance of privacy, confidentiality,

4
00:00:17,980 --> 00:00:20,620
as well as accountability for information security.

5
00:00:21,520 --> 00:00:27,760
As far as I know, the laws still have problems in order to well, how do you handle information security

6
00:00:27,760 --> 00:00:28,870
problems properly?

7
00:00:29,860 --> 00:00:38,680
So due to the nature of the computer system, it's just not easy to identify cyber crimes and what laws

8
00:00:38,680 --> 00:00:39,940
they should be subject to.

9
00:00:41,070 --> 00:00:45,780
So this is one of the biggest problems of how to attribute cybercrime.

10
00:00:46,780 --> 00:00:53,350
So, of course, that makes it also difficult to differentiate between a crime and ethical hacking activity.

11
00:00:53,950 --> 00:00:55,360
Oh, now you're listening.

12
00:00:55,960 --> 00:01:01,600
Penetration testing can cause some confidentiality and integrity issues.

13
00:01:02,360 --> 00:01:08,260
Of course, it's possible, especially while testing business critical applications.

14
00:01:09,040 --> 00:01:13,400
Shutting down a service may cause huge amounts of concern.

15
00:01:14,080 --> 00:01:19,450
So therefore, it really is important to realize exactly what your obligations are.

16
00:01:20,080 --> 00:01:26,140
Now, as one might expect, a penetration test has some pretty significant legal issues.

17
00:01:27,130 --> 00:01:33,830
So at that point, the main thing here is what separates a penetration tester from a hacker?

18
00:01:34,630 --> 00:01:36,540
Well, not much.

19
00:01:37,180 --> 00:01:40,210
In fact, it's called permission.

20
00:01:41,720 --> 00:01:47,120
So it's expected to have permission from the owner of this system that's going to be tested.

21
00:01:48,040 --> 00:01:56,740
So that means that a legal agreement is not only beneficial for both parties, but I would say absolutely

22
00:01:56,740 --> 00:01:57,310
essential.

23
00:01:58,470 --> 00:02:04,410
So considering the respective laws, a written agreement between a tester and a company or organization

24
00:02:04,410 --> 00:02:09,970
or individual can clarify all the points regarding the conducted activity on the system.

25
00:02:10,680 --> 00:02:16,050
So here's a good thing to keep in mind that the laws and regulations change from country to country.

26
00:02:16,970 --> 00:02:25,010
So before diving into a pen test, discuss with the legal department about the laws of your respective

27
00:02:25,010 --> 00:02:25,550
country.

28
00:02:26,800 --> 00:02:30,030
On the other hand, you can't solve everything with laws.

29
00:02:31,220 --> 00:02:34,700
There are many gray areas in information security.

30
00:02:35,900 --> 00:02:44,840
So sometimes you cannot necessarily cover the gray area by being legally blind, so that's why honesty

31
00:02:45,020 --> 00:02:48,010
and responsibility come forward.

32
00:02:49,030 --> 00:02:52,510
Out in the field, we call it the code of ethics.