It appears that there is a growing wave of SaaS utilities that will either scan websites and internet-based services for you or provide you with access to historical information on sites and services they have already scanned, often for a fee. Unfortunately, using such services can result in your seriously falling foul of the law in a major way, especially if permission has not been obtained by either the company performing the scans or the client who asks them to perform a scan on their behalf. Let me explain below.
Ask for permission first, always…
Simply put, regardless of the safety or intent of the scan being performed; you need to get permission prior. This is for several reasons:
#1 There is no such thing as a Passive Scan
Quite often such companies will say they are only doing a passive scan and that it cannot possibly cause any harm to the service being scanned. Wrong! The act of scanning itself is an information exchange between two computer programs, both of which know nothing about each other when they start the communication. This means that if there are bugs or bad code in either party, this could result in the scanned service either having its data integrity impacted at the least or at the worst the availability of the service could be impacted. Also, Passive Scanning is not an exactly defined technique, where is the line between what is truly Passive or Active? We all know the extremes, but where is the line where you cross over from Passive to Active. Remember everything is an interaction.
If you have no awareness whatsoever of the implementation of what you are scanning, how can you have 100% confidence you will not be negatively impacting them?
#2 You are consuming someone elses resources
Such scans can range from something light to something intense, either way, your act of scanning somebody else’s service is consuming their resources without prior consent. What if that scan was to trigger an autoscale event or cause a database to be upscaled? This is a serious cost to those running the service and it’s to no benefit of the service operator.
Plus if you take this type of service to the limit and assume there will be many providers of such scanning facilities, it will end up with internet services being scanned all the time by multiple scanners – which is a serious waste of resources that will probably have a negative impact on the environment as a result.
#3 Who is using the results of the scan?
Now you may think it’s only you as the customer who has access to the reports, but who else has access to such reports? How is it guaranteed that a bad actor does not gain access to such reports and use the treasure trove of security information to their benefit? In effect, such scanning could be weakening the security posture of the very sites and services they are trying to protect!
#4 Who are the bad guys?
If you are running an online site or service and you have all these random scans against you, how do you know who is the bad actor in all of this? Plus it’s likely the scans will trigger security alerts, if only for the ‘sniffing’ and oddly timed traffic, this again is consuming resources and in this case consuming human resources to boot!
#5 Where is the data being stored?
If the scans record fragments from the websites or provide snippets from what the services returned, there is a risk that PII might be revealed or otherwise sensitive information. This could fall foul of privacy regulations in a big way. This also raises the question of whether this vast treasure trove information is being stored securely or not?
In most countries (including, USA, UK, AU, etc), there is specific legislation to make it illegal to scan or probe online services to discover security vulnerabilities without prior permission. This is done for good reason, as it provides a clear separation between those obtaining such information for bad reasons and those doing it for good. The intent is not that strongly valued, if someone has not given permission and you are scanning regardless, that is considered illegal.
Now you may say that Google and all the other search engines have been doing this for years, so what’s the problem? The thing is they are enacting those sites for the primary purpose for which they were intended. They do not disclose to all parties any security issues they have found indexing the sites. Likewise, the usage of standalone security scanners (like those in some browsers or security toolkits) is an individual action taken by a person, they have the direct legal responsibility. Plus Google and other search engines have established mechanisms in place to disable scanning of sites that don’t want to be scanned, they can decline in advance.
Whereas if you are business scanning sites looking for security vulnerabilities, without a clients indication of permission to do so, you are harvesting (illegally) a treasure trove of information that could be used by bad actors. In several legislations, this could be considered possession or use of services that are knowingly aiding in the committing of cybercrime (and if you operate such services by reading this article, you are now fully aware that this could well be going on). What have those running such services done to ‘vet’ and screen those accessing such report data sets?
Sometimes to get a report, you just reach out to one of their sales staff and they will happily hand it over, no questions asked. What does this really say about their approach to security and hence the value of what they are selling?
This is why those who perform Penetration tests obtain what is known as a ‘get out of jail free’ letter, to show to the authorities they have got prior permission to scan. The fact they are doing a possibly invasive scan is NOT the reason for this, it’s the fact they are doing a scan AT ALL is the reason.
The only right and safe way to do this
First off, the results of such scans and reports should not be made freely available to anyone who wants to know, which I would consider seriously irresponsible and reckless at best. It’s a bit like running a free candy store for hackers if you make this information public. Now the argument may be that everybody else is doing this, therefore it’s okay; I’ve got news for you, that will not stand in court. Ignorance of the law is never a defence.
Secondly, all clients must sign a waiver and agreement that they have the authority to utilise such scans and reports in a way that does not negatively impact any sites or services so scanned, and that they have sort prior approval from the site or service operators to have such scans performed.
Thirdly, site or service operators and owners need a way to either ban such 3rd party scanning or have an approval mechanism in place to give consent to allow each scan to occur. The wholesale security scanning of sites or services for security weaknesses must stop.
Fourthly, site or service operators should update their terms of service to specifically exclude the security scanning of websites or services without prior written permission. This clearly puts those doing so without prior permission on the wrong side of the law. Sites can also signal to scan services what they allow and when using the robots.txt extension here.
This is the only way to do this, prior permission and agreement to be scanned MUST be a critical gate in the process.
What is currently occurring is the online equivalent of going around checking everyone’s homes to see if the doors or windows are locked, then making such information available to anyone willing to pay. In the real world, you would get arrested for doing this and with good reason. The penny needs to drop that the same rules & consequences also apply online.
Those providing online security scanning services need to grow up, it’s not a free for all and it has never been a free for all, there are consequences and responsibilities to providing such services, which need to be enacted. Those businesses that respect the law and its intent will rise to the top, those who don’t will sink.
There is also the question of the true real value of such reports, as unlike a proper penetration test or ISO27001 standard, they by their very nature can only look at the surface of the website or service and anybody who has implemented websites at scale knows that is often the tip of a very big iceberg. I also get the sense, from the reports I’ve seen, that they are mostly ‘security theatre’, in other words, they overplay risks and possible impacts to make people feel they have derived value from such reports. They can also give a false impression that what they have scanned is meaningfully secure (or not); to use the physical analogy, not all locks and alarms are created equal. I feel such reports offer a very weak evaluation of overall security, especially when compared to a comprehensive Pen Test, they pale into insignificance.