In cybersecurity, the term “target” can refer to a number of different things, depending on the context. Generally, a target is a specific asset or system that an attacker is seeking to compromise or exploit. It could be a computer, a network, a web application, or any other type of digital system that has vulnerabilities or weaknesses that an attacker can exploit.
For the sole purpose of this topic, I would be reviewing some popular platforms where you can find a target to practice your penetration testing skills on and I would also be explaining the fine print. Finally, i would be talking about the laws governing cyber security and penetration testing in the United Kingdom. Kindly take a few minutes to read through the disclaimer as it would be very helpful for this topic. When it comes to finding an asset we would be performing tests on, of course, there are labs for penetration testing on platforms out there but the labs are meant to be solved in some way and thus, you get to learn whilst you’re solving these penetration testing labs. But, real-life practicality is missing. It would interest you to know that there are thousands of companies out there who would let you perform penetration tests on their asset and should you find any vulnerability or bug, you get paid. That does sound interesting but it’s no easy task. Before giving you ways to locate these companies/organisations that would let you perform penetration tests on their asset, it’s best to explain the fine print behind these types of tasks to you so you do not end up in jail. When these companies list out an asset for penetration testing to be performed on, they reasonably do not expect you to just perform DDOS using HOIC or LOIC because that would be an unreasonable thing to do. They give out specific guidelines alongside the listing and taking the time to read through these guidelines would guarantee you of being a free man/ woman and not winding up in jail. I understand there’s been a couple of jail talks now and this is because in cybersecurity before penetration tests can be conducted; you need to have been given the consent and go ahead to do so. You can’t just try out things you learned online on a website that is not giving you your expected refunds or try to try out things on websites you detest. it’s not DONE and you do not perform penetration testing if you’ve not been authorised to do so. Please do not perform penetration tests on assets if you have not been authorised to do so.
In the United Kingdom where I reside, there are several laws that govern the conduct of penetration testing.
The Computer Misuse Act 1990 is the primary legislation that covers cybercrime in the UK. It criminalizes unauthorized access to computer systems and data, as well as the distribution of malicious software. While the act does not explicitly mention penetration testing, it does provide an exemption for “the person who has the permission of the owner or other lawful authority.” This means that if a penetration tester has the explicit permission of the system owner to conduct the test, they are not breaking the law.
Another relevant law is the Data Protection Act 2018, which regulates the processing of personal data in the UK. It requires organizations to have appropriate safeguards in place to protect personal data from unauthorized access, use, or disclosure. During a penetration test, personal data may be accessed and processed, so it is important for testers to ensure that they have the necessary permissions and that they follow the requirements of the act.
There are also industry-specific regulations that may apply to penetration testing, such as the Payment Card Industry Data Security Standard (PCI DSS) for organizations handling credit card transactions, and the General Data Protection Regulation (GDPR) for organizations operating in the European Union.
In addition to these laws, there are also best practices and guidelines that penetration testers should follow in order to ensure that their work is ethical and respectful of the rights of others. For example, the Open Web Application Security Project (OWASP) has published a list of guidelines for ethical hacking, which includes recommendations such as obtaining prior consent, avoiding causing damage or disruption, and respecting the privacy of individuals.
In summary, the laws governing penetration testing in the UK are designed to protect against cybercrime and ensure the proper handling of personal data. As long as testers have the necessary permissions and follow relevant laws and guidelines, they can conduct ethical hacking activities to help organizations improve their security.
Back to the topic, companies that list out their assets for penetration testing to be conducted on do give out something called “SCOPE”.
Now what does scope in penetration testing means?
In the context of penetration testing, scope refers to the specific systems, networks, or applications that are included in the test. It is important to know the scope of a penetration test before tests are carried out, as it helps to ensure that the test is focused and relevant to the organization’s needs.
The scope of a penetration test can be determined in a number of ways, depending on the goals and objectives of the test. Some common considerations for determining the scope of a penetration test include:
- The assets or systems that are most critical to the organization’s operations. These may be prioritized for testing in order to ensure that they are secure.
- The vulnerabilities or weaknesses that the organization is most concerned about. These may be the focus of the test in order to identify and address potential risks.
- The types of attacks that the organization is most likely to encounter. This may include specific types of malware, network vulnerabilities, or web application vulnerabilities.
- The resources that are available for the test. This may include the time and budget allocated for the test, as well as the skills and expertise of the testers.
Once the scope of a penetration test has been defined, it is important for the testers to adhere to it. This helps to ensure that the test is focused and relevant, and that it does not cause unnecessary disruption or damage to the systems or networks being tested. It is also important to communicate the scope of the test to all relevant parties, including the system owners and any external stakeholders, in order to ensure that everyone is aware of what is being tested and why.
While that is clear. Below are websites where you can find companies listing their assets for penetration tests to be conducted on.
Watch the video below as i review these platforms.
I hope you enjoyed reading my blog post! If you found the content useful or informative, I would really appreciate it if you could take a moment to leave a comment and share the post with your friends and colleagues. Your feedback and support helps me to continue creating valuable content for you readers. Thank you for considering and I look forward to reading your thoughts!
Thanks, Tobi
