The National Cyber Security Agency (Nacsa) has issued a statement warning that ethical hackers in Malaysia face legal action for security testing, even those that are well-intentioned, as it is a criminal offence without explicit written consent.

The agency clarified to queries from those in the industry that the nation’s licensing framework for managed security operations centre (MSOC) monitoring and penetration testing is designed to differentiate authorised assessments from unlawful network intrusions.

The framework requires MSOC and penetration testing services to be conducted solely by licensed providers, particularly for organisations designated under the purview of the National Critical Information Infrastructure (NCII).

This is to ensure that testing is performed only by practitioners with credentials as ethical hacking is defined by a specific scope and explicit written consent and it becomes an illegal act if there is no prior authorisation.

During licence renewal, a provider’s performance record covering the preceding six years must be furnished to the chief executive of MSOC and this is why service records must be maintained for six years to ensure transparency and compliance.

The agency stated that licensed companies and individual practitioners in the country are 410 companies licensed for SOC services and 403 for penetration testing, compared with only 23 individuals licensed for SOC services and 53 for penetration testing.

-THE MALAYSIA VOICE