VAPT & Laws in India

By Prashant Mali, Cyber Law & Cyber Security Expert

Cyber Security Laws Series
Released at ISACA Mumbai Chapter Conference of 2016
Organizations dealing with IT across the globe would be interested to know how
secure their system or network and will be interested to know the vulnerabilities
present. Many lone wolf ethical hackers and cyber security companies offer
vulnerability assessment & penetration (VAPT) as a service. Several organizations
that take these services often empanel more than one VAPT service providers and
use them alternatively. Large organizations generally have their own in-house VAPT
teams, that do VAPT exercise routinely and sometimes hire outside vendors . VAPT
is often a tool based exercise used in conjunction with techniques best known to the
person doing it. To understand more about what laws are applicable to Vulnerability
Assessment and Penetrating Testing i.e. VAPT, let us first understand what does it
mean in general parlance.
What is a VA?
To identify and analyse the vulnerabilities, a test known as the vulnerability
assessment test is carried out. A vulnerability assessment exercise highlights
the gap in vendor patch updations, misconfigurations and other known
vulnerabilities. A VA can throw a lot of false positives and false negatives too,
which is often tested manually by administrators to confirm. The team then
conducts a threat mapping of these vulnerabilities around the affected assets.
What is a PT?
PT means a penetration test that jots down all the instances where a tester,
internal or external to the organization, tries to attack the systems by exploiting
vulnerabilities present in the system at the time of such a test. The attacker use
various types of exploit methods to disrupt the system and tries to access
information or gain complete control over the system for further attacks. There
are various frameworks and exploit kits easily available that are put use during
a penetration test exercise.
The main difference between a external attacker and Pen Tester is the
PERMISSION, the Pen Tester has the permission from the owner of the IT
assets to infiltrate. Hence, whether it is a VA or PT, it should be carried out with
due permission of the owner of a system on which the test is being carried out.
A widely accepted way of such engagement can be documented in Rules of
Engagement.
RoE document includes various details like location, scope, frequency, depth,
time, reporting formats and emergency contacts.
When a penetration tester accesses systems on which he is not authorized to
do so, the tester violates provisions of multiple laws. Let us look at various
scenarios of PT exercise which can trigger legal action

VAPT & Laws in India

Adv. Prashant Mali

When a PT is illegal?
1. When the tester has not explicit authorization from the administrator/
owner of the target system and still he attempt to gain access or gains
access or penetrates network or devices. For e.g. many amateur ethical
hackers use tools to penetrate servers of Government or private
organization without seeking permission to do so for the sake of practice
or to prove a point.
2. When a tester is contracted by a third party who is authorizing PT on first
partys assets and first party has authorized second party only who has
outsourced to third party for which the second party has not obtained
prior permission to outsource from first party.
3. When authorized tester uses unauthorized or pirated tools.
4. When authorized tester exceeds his scope of work and penetrates
devices on network not authorized to be accessed.
5. When authorized tester do testing of target network outside the timings
specified in authorization.
Legal Provisions in India
Pen testing of any website without the explicit permission of its owner amounts to
violation of Section 43(a) read with Section 66 of The IT Act, 2000. Which in
combination reads as
If any person without permission of the owner or any other person who is in
charge of a computer, computer system or computer network, Accesses or
secures access to such computer, computer system or computer network or
computer resource. If any person, dishonestly, or fraudulently, does this act,
he shall be punishable with imprisonment for a term, which may extend to
three years or with fine, which may extend to 5 lakh rupees, or with both.
The affected company can file a suit with Adjudication officer for compensation up to
Rs. 5 crores under section 43(A) of the IT Act, 2000. If the loss is more than Rs. 5
crores then suit can be filed at a High Court of relevant jurisdiction for higher
amounts. In addition to invoking relevant penalty clauses in the contract, additional
clauses like Breach of Privacy can also be invoked if tester accessed sensitive data.
Another very important provision under the Indian law is the section 70 of the IT Act,
2000 in which if any person who secures access or attempts to secure access to a
protected system (Central Government has to notify a particular organizations
network, hardware & software as Protected System) in contravention of the
provisions of this section shall be punished with a term which may extend to 10 years
and is also liable to fine.
So, there is no reason for a security researcher to do a VA-PT on networks that are
part of Critical Information Infrastructure and if he does so, the punishment can be
extended up to 10 years imprisonment.
To illustrate, ethical hackers performing a penetration test without authorization can
be equated to breaking into their neighbors house to see whether the locks are good
or to check the strength of a door or window. Both amounts to house-breaking and
Police relies on prima facie evidence. Here your intention would only be discussed
and argued in courts of law. Police would register an FIR on pen testers who do it
VAPT & Laws in India

Adv. Prashant Mali

without authorization of a target client or web server. I have handled various cases
from both the ends i.e. have represented an ethical hacker or a cyber security
company or have represented a company on whom the pen testing was done without
permission and were victims.
Case No. 1:
A well-known ethical hacker accessed a server of his client, a stock broking and
finance company.
The server contained certain financial details that were
confidential and hence the client had specifically avoided writing ip address of this
server in the contract signed with the ethical hacker. In addition it also had some data
about the income tax department raid on this server.
This ethical hacker in mid night accessed the above said server with restricted
ip address and in next morning it was reported by the in house IT team to the
management, which registered a police case of hacking against the hacker. Police
confiscated all the devices of the hacker from his 3 different locations, examination of
which he revealed in the investigations. Police also found out logs of some other
illegal activities and copyrighted data about other organizations on his hard disk.
Case No. 2:
A cyber security company executed a pen testing assignment for which they were
engaged by a multinational company. They were also running a training business
and delegated the work to some of their trainees. The trainees for the sake of
practice
accessed servers during office hours of the client. Two trainees even
installed certain software on these severs to create a backdoor. This MNC ordered
forensic examination and complete investigation into the matter from and cases were
filed against students and the directors of cyber security company for hacking in
addition to a civil suit claiming damages that are being contested.
Legal Advice for Ethical Hackers, Cyber Security companies and for
Organizations engaging them:
At the very first instance a contract needs to be entered into between the organization
and the pen testers company. All the terms and conditions shall be clearly mentioned
which primarily includes scope work shall the pen testers perform and clearly listing
out the tasks that they shall not. It shall include details of the IP addresses, devices,
subnets e.t.c, on which the test shall be performed. If the scope of work includes a
software review or decompiling, make sure that the copyright to the software permits
(or does not prohibit) the reverse engineering or code review. It is the responsibility of
the organization hiring the pen testers to provide them with a certificate which
mentions that the organization employing them is authorized approve the work and
legally authenticated.
Scope of Work:
One of the practical problems faced by the pen testers is related proper
understanding of the scope of the pen test. Another one may be on ascertaining the
veracity of IP addresses provided by their clients. In situations wherein incorrect IP
addresses are provided to the testers, and carryout tests believing them to be true
may end up in
police investigation. At times it so happens that the hiring
VAPT & Laws in India

Adv. Prashant Mali

organization provide with the correct range of IP addresses but the testers end up in
testing the wrong ones. What all will be covered under the contract shall have to
recorded precisely, so that there are no ambiguities as to what all are required to be
done, what all not and on which systems and IP addresses. Another important point
that shall be very well answered in the scope of work is about the purpose and
manner in which the test is to be carried out carried out. Terminologies and jargons
that can create confusions shall be avoided in the contract. Definition of the
assumptions that support the pen test shall be clearly mentioned. A list of the devices
or the computers that are to be tested and the ones that are not to be tested shall
form the part of the contract. The schedules of pen tests shall be worked out and
agreed mutually, indicating the daily schedule of tests clearly.
Ancillary damages:
Other related problems erupt when the pen tests are carried out on active networks
or systems and devices on which the organization is working. If the
testers/organization did not arrive at a schedule or did not follow the agreed schedule
the impact can be disastrous and might impact adversely both in financial and
reputational angles. Hence it is very important to agree on a schedule and proceed
as per the agreed schedule and as an additional precaution, the testers shall notify
the organization in writing the areas and, the severity of the impact about a particular
test that is scheduled on a daily basis and the precautionary measures to be followed
by the organization.
Indemnification:
The accuracy in performance of the pen test has nothing to do with the issue of
notification to the organization about the test. Even after a test running successfully,
it can have certain damage, disruption, harm e.t.c on the networks, data or the
computers and devices of the organization. Hence it is important to include clauses
for indemnification from ancillary, incidental or consequential damages arising out of
the tests.
Jurisdiction:
When it comes to the jurisdictional part for dealing with consequences arising out of a
pen test, there is no universal answer and hence the parties involved will have to
mutually agree to a location. Lets take an example, a Mumbai based company
entered into a contract for performing pen test on their computers based in
Hyderabad, with a Romania based pen test company. The pen tester conducts the
tests from Russia. But it has impacted and injured someone in London. In this
example each of the party involved directly or indirectly would want the laws of the
country favorable to them, be made applicable.
Privacy Issues:
A successful pen test can result in the pen tester getting into a computer or computer
network that they should not accessed in ordinary course. Thus, it may include
accessing data or databases which might contain sensitive personal data or
information (SPDI), credit card information, personally identifiable information (PII) etc
or those information that an organization wanted to protect. The pen test may expose
VAPT & Laws in India

Adv. Prashant Mali

the tester to sensitive information that are sensitive and is protected by law. The
question now is whether the access to such information by a pen tester a breach
and needed to be reported or not? What is generally done is signing a NonDisclosure Agreement (NDA) by pen tester agreeing to protect and maintain the
confidentiality of the data they accessed during the course of a test. The pen tester
must understand the scope and extent of their duty to protect all data they access.
Issues that differ by case:
It is unlawful to conduct pen test on computer systems that are not under the control
of a customer. It is not clear as of now, what gives a customer the right to authorize a
pen test. Ownership? Intellectual property rights? Leasing of an IP
range? Licensing of software? It is one thing to own a house, another to rent it. In
addition, when doing a pen test, what are you testing? Physical security? Logical
security? Software security? Software configuration? Hardware configuration?
Settings? Does the fact that a company leases hardware, licenses software, and
rents space affect their ability to give consent?. As a lawyer, I can solve this only
after studying a particular case.
What services and documentation?
What kind of pen test are you conducting? Is it just doing a port scan? Are you
running tool like NESUS? And what do you warrant and represent that you will
find? A typical pen test should merit that the pen tester will use the type of
professionalism and skills commonly found in the industry, but not make promises
that the test will find all, or even substantially all vulnerabilities or
misconfigurations. One should note, it is as important to document the lack of
findings as it is to document the findings themselves.
Who owns the result and process?
Determination of the ownership of the information which is the outcome of the pen
test is another issue that erupts in these contracts. To answer this in simple
language, the tester is the owner of the methodology used in testing and the report
templates so generated, whereas the hiring company is the owner of the findings and
the recommendations coming out of the test, though reported by the testers to the
organization. As far as inventions of new methodologies by the tester is concerned,
again as a lawyer, I can solve this only after understanding a particular case.
Reporting and beyond:
When we say that the reports and the findings of pen tests carried out, is the
property of the hiring organization, it might sound unjust and mean. Because
networks never work in isolation. They work only if they are interconnected with live
connections. Same is the case with the pen testers, the customer and the interrelated
third parties. The testers shall not only intimate the hiring organization about the
potential impacts and injuries than can result from the tests, but also to the third
parties who may get impacted whether severely or not. But making them liable for the
losses caused to the third parties would certainly depend upon what the court
perceive and how it shall interpret and enforce the law.

VAPT & Laws in India

Adv. Prashant Mali

Conclusion
A vulnerability assessment & pen testing assignment may sound simple and the
documents involved may look straightforward, I have seen many copy and pasted
agreements. But as any legal document, the details play an important role so always
seek legal help for vetting the same. A good hygiene and self-regulation by
individuals or by an organization can avoid long arm of law.

Author:
Advocate Prashant Mali is a Internationally renowned Cyber
Law & Cyber Security Expert, Author & a High Court Lawyer
based out of Mumbai, India . He is also President of the award
winning premier technology Law Firm "Cyber Law Consulting ".
This year He has been awarded as "Cyber Security Lawyer of
the year-India by Financial Monthly magazine of UK. He has
also been awarded as "Cyber Security & Cyber Law Lawyer of
The Year: 2014" by Indian National Bar Association. He is
Chevening Cyber security Fellow (UK). He is Masters in
Computer Science & Masters in Law with certification in
Computer Forensics & Systems Audit with working experience in the field of IT Security & Law for
more than 20 Yrs. He has been interviewed by, BBC World, Doordarshan, Bloomberg, NDTV, Zee
Business and Quoted by leading Newspapers of India & abroad like Times of India, Business
Standard, Asian Age, Bloomberg News to name a few. He regularly writes for leading magazines and
is a passionate speaker at National & International Seminars. He has authored 6 books on Cyber
Crimes & Cyber Laws. He is a legal adviser to Police, Govt. Companies, MNC's, Corporates and
represents them in various courts. He has successfully argued and got decisions in landmark cyber
cases and cases involving electronic evidence as an expert legal counsel.

Contact:
Phone: +91-22-25401515 / +91-9821763157 | Twitter : @CyberMahaGuru
E-mail: prashant.mali@cyberlawconsulting.com / cyberlawconsulting@gmail.com
Website : www.prashantmali.com | facebook.com/cyberlawconsultant

VAPT & Laws in India

Adv. Prashant Mali