The document discusses vulnerability assessment and penetration testing (VAPT) and related Indian laws. It provides definitions for vulnerability assessment and penetration testing, noting there are no legal definitions. It outlines when penetration testing would be considered illegal, such as without authorization or exceeding the testing scope. The legal provisions for unauthorized penetration testing are discussed, including penalties of up to 3 years imprisonment or Rs. 5 lakhs fine under the IT Act. Case studies are presented and best practices are recommended, such as having a well-defined contract and scope of work to avoid legal issues.

1. VAPT & Indian Laws
Adv. Prashant Mali [ M.Sc.(Computer Science), LLM ]
International Cyber Lawyer, Author & Speaker
@CyberMahaGuru

2. VAPT
&
Indian
Laws
What is Vulnerability
Analysis?
 There is no definition as per Law ..
 To identify and analyse the vulnerabilities, a test
known as the vulnerability assessment test is
carried out.
 A vulnerability assessment exercise highlights the
gap in vendor patch updations, misconfigurations
and other known vulnerabilities.
 A VA can throw a lot of false positives and false
negatives too, which is often tested manually by
administrators to confirm.
 The team then conducts a threat mapping of these
vulnerabilities around the affected assets

3. VAPT
&
Indian
LawsWhat is Penetration Testing
 There is no definition as per Law ..
 PT means a penetration test that jots down all the
instances where the cyber attacker either internal
or external to the organization, tries to attack the
systems by compromising the vulnerabilities.
 The attacker uses various types of exploit
methods to disrupt the system, steal information
or gain complete control over the system for
further use.
 There are various frameworks and exploit kits
easily available that are put use during a
penetration test exercise.

4. VAPT
&
Indian
Laws“Rules of Engagement”
 RoE document includes various details like
 Location,
 Scope,
 Frequency,
 Depth,
 Time,
 Reporting formats and
 Emergency contacts for incident mgmt.

5. VAPT
&
Indian
LawsWhen a PT is illegal?
 When the tester has not explicit authorization
from the target company and still the tester
attempts or gains access or penetrates target
companies network or devices. For e.g. many
amateur ethical hackers use tools to penetrate
servers of Government or private owned
organization without they being asked to do so
for the sake of practice or to prove their point.
 When the tester is a contracted third party who
is conducting PT on first party’s assets. First
party has authorized second party who has
outsourced to third party for which the second
party has not obtained prior permission to
outsource.

6. VAPT
&
Indian
LawsContd.. When a PT is illegal?
When authorized tester uses
unauthorized or pirated tools.
When authorized tester exceeds his
brief and penetrates devices on
network not authorized to him.
When authorized tester does
testing of target network during
timings not specified in
authorization.

7. VAPT
&
Indian
Laws
Legal Provisions for illegal
PT
Pen testing any websites
without their explicit
permission amounts to
violation of Section 43(a) read
with Section 66 of The IT Act,
2000.
Up to 3 years of imprisonment
or up to Rs. 5 Lakhs or Both

8. VAPT
&
Indian
Laws
Legal Provisions for illegal
PT on Protected System
 Another very important provision under the Indian
law is the section 70 of the IT Act, 2000 in which if
any person who secures access or attempts to
secure access to a protected system (Central
Government has to notify a particular
organization’s network, hardware & software as
Protected System) in contravention of the
provisions of this section shall be punished with a
term which may extend to 10 years and is also
liable to fine.
 So, there is no reason for a security researcher to
do a VA-PT on networks that are part of Critical
Information Infrastructure and if he does so, the
punishment can be extended up to 10 years
imprisonment.

9. VAPT
&
Indian
Laws
Legal Provisions for illegal
PT
Compensation for damages
 The affected company can also file suit
for compensation up to Rs. 5 crores
under section 43(A) of The IT Act, 2000,
with the Adjudication officer and if the
loss is more than Rs. 5 Crores then for
any amount can file a suit with the High
Court of relevant jurisdiction.
 Relevant penalty clauses in the contract
would also be invoked. Breach of Privacy
law also would be applicable if the server
accessed contains sensitive data.

10. VAPT
&
Indian
LawsCase study No. 1
 A cyber security company executed the
pen testing assignment they had received
from a multinational company by
delegating the work to their students as
they even were in training business.
 These students for the sake of practice
did two wrong things they accessed
servers during office hours of the client
from their home. Two students accessed
servers and planted there software on
these severs to create a backdoor.

11. VAPT
&
Indian
LawsWhat happened then ..
This MNC had ordered forensics
and complete investigation in the
matter from a different cyber
security vendor.
Different cases were filed on
students and on the directors of
cyber security companies for
hacking and a civil suit claiming
damages is still contested.

12. VAPT
&
Indian
LawsCase Study No. 2
 A well-known ethical hacker accessed a
server of his client a stock broking and
finance company, this server contained
certain financial details. These financial
details were not supposed to be released
in public domain and hence the client had
specifically avoided writing IP address of
this server in the contract signed with the
ethical hacker. They also had data about
the income tax department raid on the
same server.

13. VAPT
&
Indian
LawsWhat happened then ..
 This ethical hacker in mid night accessed
the above said server and in next
morning it was reported by the in house
IT team to the management, which
registered a police case of hacking
against the hacker.
 Police confiscated all the devices of the
hacker from his 3 different locations
which he revealed in the investigations.
Police also found out some other illegal
activities and data about other
organizations on his hard disk.

14. VAPT
&
Indian
LawsWhat needs to be done ?
 At the very first instance a contract needs to be
entered into between the organization and the pen
testers company. All the terms and conditions
shall very well and clearly be mentioned which
primarily includes what job or work shall the pen
testers perform and specifically mention also the
tasks that they would not perform.
 IT should include other details of the IP
addresses, devices, subnets e.t.c, on which they
shall perform the tests. If the test includes a
software review or decompiling, make sure that
the copyright to the software permits (or does not
prohibit) the reverse engineering or code review.

15. VAPT
&
Indian
LawsScope of an assignment
 Among the various practical problems faced by
the pen testers one is related to the incorrect
understanding of the scope of the pen test.
Another may be the incorrect IP addresses.
 If wrong or incorrect IP addresses are provided to
the testers, who believe them to be true, then the
testers may end up in problem which may land up
in police investigation of that tester of their team.
 Also at times it so happens that the hiring
organization provides with the correct range of IP
addresses but the testers end up in attacking the
wrong ones.

16. VAPT
&
Indian
LawsAncillary Damages
 If the testers do not notify the
organization about the tests and its
effects there may be heavy losses that
the organization may have to face.
 The testers need to notify the
organization in writing mentioning all the
areas of impact, the severity of the impact
and the precautionary measures to be
followed by the organization. Also about
the incidental and ancillary damages.

17. VAPT
&
Indian
LawsIndemnification:
 The accuracy in performance of the pen test
performing team has got nothing to do with
the issue of notification about the test to the
organization.
 The reason behind this is, even if the test
runs successful, it shall have several traces
of damage, disruption, harm e.t.c on the
networks, data and the computers and
devices of the organization.

18. VAPT
&
Indian
LawsJurisdiction:
 Let’s take an example, a Mumbai based
company has entered into a contract for
performing pen test on their computers in
Hyderabad, with a Romania based pen
test company. The pen tester conducts
the tests from Russia. But it has impacted
and injured someone in London.
 In this example each of the party involved
directly or indirectly would want the laws
of the country favorable to them, be made
applicable

19. VAPT
&
Indian
Laws
What services and
documentation:
 What kind of pen test are you conducting? Is it just
doing a port scan? Are you running tool like NESUS
and leaving? And what do you warrant and represent
that you will find? A typical pen test should merit that
the pen tester will use the type of professionalism and
skills commonly found in the industry, but not make
promises that the test will find all, or even
substantially all vulnerabilities or
misconfigurations. One should note, it is as
important to document the lack of findings as it is
to document the findings themselves

20. VAPT
&
Indian
Laws
Who owns the result and
process?
 Determination of the ownership of the
information which is the outcome of the
pen test is another issues that erupts in
these contracts.
 To answer this in simple language, the
tester is the owner of the methodology
used in testing and the report templates
so generated, whereas the hiring
company is the owner of the findings and
the recommendations coming out of the
test, though reported by the testers to the
organization.

21. VAPT
&
Indian
LawsReporting and beyond:
 When we say that the reports and the
findings of the pen tests so carried out, is the
property of the hiring organization, we shall
sound unjust and mean.
 The testers shall not only intimate about the
impact and injuries due to the tests, to the
hiring organization but also to the third
parties who may get impacted whether
severely or not. But making them liable for
the losses caused to the third parties would
certainly depend upon what the court
perceives and what and how it shall enforce
the law.

22. VAPT
&
Indian
LawsConclusion
A pen testing assignment may sound
simple and the documents involved
may look straight forward, I have seen
many even use the copy, pasted
agreements.
But as any legal document, the details
play the important role. A good
hygiene and self-regulation by
individuals or by an organization can
avoid long arm of law.

23. VAPT
&
Indian
LawsThank you
 +91-9821763157
www.prashantmali.com
@CyberMahaGuru