Law and Compliance

Question 1

Section 1 of the CMA 1990 concerns what?

Answer 1

Unauthorised access to computer material.

Question 2

Section 2 of the CMA 1990 concerns what?

Answer 2

Unauthorised access with intent to commit or facilitate commission of further offences.

Question 3

Section 3 of the CMA 1990 concerns what?

Answer 3

Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

Question 4

Under the CMA 1990, a person is guilty under the crimes within the act if they what?

Answer 4

A person is guilty of an offence if—

• he causes a computer to perform any function with intent to secure access to any program or data held in any computer
• the access he intends to secure [or to enable to be secured,] is unauthorised
• he knows at the time when he causes the computer to perform the function that that is the case.

Basically, if you know you shouldn’t be accessing the computer, and you perform some action against it in order to secure access to that computer anyway, then you are guilty.

Question 5

Under the CMA 1990 Section 2, you are guilty under that section if you do what?

Answer 5

Basically, anything that would facilitate an offence under any of the other sections. So if you create software for someone who is creating malware, or if you are performing actions to facilitate the compromise of an organisation (think writing the phishing email, even if you don’t send it).

Question 6

Under the CMA section 3, you are guilty if you do what?

Answer 6

A person is guilty of an offence if—

• he does any unauthorised act in relation to a computer;
• at the time when he does the act he knows that it is unauthorised

AND
{
you intend to:
- impair the operation of any computer;
- prevent or hinder access to any program or data held in any computer
- impair the operation of any such program or the reliability of any such data
- to enable any of the things mentioned in paragraphs (a) to (c) above to be done

OR

• you are ‘reckless’ as to whether the act will do any of the things mentioned in paragraphs
• reckless means you don’t care. - it’s defined through precendent law
  }

Question 7

The Human Rights Act 1998 is based on what EU directive?

Answer 7

European Convention on Human Rights

Question 8

Which article of the Human rights act is most relevant to penetration testing?

Answer 8

Article 8 of the Human Rights Act - Right to respect for private and family life

Question 9

What impact does Article 8 of the Human Rights Act - Right to respect for private and family life have on penetration testing activities

Answer 9

• Don’t compromise personal data unnecessarily
• Don’t store personal data
• Don’t read it either.

instances where this can happen:

• network sniffing
• sql injection - if you pull an entire table
• IDOR (this actually happened to me, fortunately it was the client and they didn’t mind).

Question 10

What are the 7 principles of Data protection according to the DPA 2018?
Let
Porpoises
Dive
And
Swim
In
Aqueducts

Answer 10

The UK GDPR sets out seven key principles:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability - Specific only to the UK

Question 11

Describe the data protection act 2018 principle of Lawfulness, fairness and transparency

Answer 11

processed lawfully, fairly and in a transparent manner in relation to individuals

Question 12

Describe the data protection act 2018 principle of purpose limitation

Answer 12

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes do not count

Question 13

Describe the data protection act 2018 principle of data minimisation

Answer 13

adequate, relevant and limited to what is necessary for the purposes

Question 14

Describe the data protection act 2018 principle of accuracy

Answer 14

accurate and, where necessary, kept up to date

- anything known to be inaccurate must be deleted as soon as possible

Question 15

Describe the data protection act 2018 principle of storage limitation

Answer 15

• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes agreed upon
• can’t keep it longer than you said you would, or longer than you need it.

Question 16

Describe the data protection act 2018 principle of integrity and confidentiality

Answer 16

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Question 17

Describe the data protection act 2018 principle of accountability

Answer 17

• specific only to the UK, done’st apply to GDPR
• There are two key elements. First, the accountability principle makes it clear that you are responsible for complying with the GDPR. Second, you must be able to demonstrate your compliance.
• this might include assigning a data controller, who in turn can implement other controls and processes to ensure evidence of compliance is available.`

Question 18

What impact does the Police and Justice Act 2006 have on penetration testing?

Answer 18

Made it illegal to perform DOS attacks.
Made it illegal to supply and own hacking tools.
- basically amended the CMA 1990, but didn’t change much about it.

Question 19

CMA 3Za describes what?:

Answer 19

The types of damage considered relevant in the CMA, basically covers health of people, wealth of people/companies, security of nation.

Question 20

CMA 3a describes what?

Answer 20

Making, supplying or obtaining articles for use in offence under section 1 (Unauthorised access) or 3 (causing damage);.

Effectively, if you create something with the understanding that it may be used, or you made it specifically for, committing offences under sections 1 or 3, then you are guilty.

it’s all about intention of the act, if you intend for it to be used in one of these crimes, you’re guilty.