Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 25 Aug 2004, Bruce Platt wrote:

> Without starting a huge flaming thread ...
>
> Have any of you used a "Memo of Understanding" or "Contract" (shudder) when
> asked to do some "ethical hacking" for a company on their resources,
> systems, and networks?

I'm not a big pen-test fan, and it's been a while since I did
any, however...

A contract is pretty much mandatory if you're doing this for a third
party.  The only time I've used an MOU is when doing it internally for a
company, mostly for personal protection from being passed invalid
addresses, hitting third party customer availability/functionality issues,
etc.  I also like to outline the rules of engagement and authority, so
that if I'm asked to go beyond them, I have recourse to get it in writing.

> I'd like to skip over the topic of Certification for Ethical Hackers and get
> to the issue of what one might want to include in such a document to protect
> both oneself and the company.
>
> What comes to mind quickly are many of the same sorts of indemnifications,
> hold-harmless, and liability issues which would apply for a non security
> related consulting agreement, but with the various sorts of damage which can
> be done by mistake or carelessness and so forth when asking one to assess a
> company's security profile, I would think that some of you might have used a
> document with which you are comfortable in the past, or have a pointer to
> one.

You'll also want to make sure that your errors and omissions insurance is
up to date, and probably make sure you have a specific "cyber insurance"
rider- that way if a third party comes after you civilly, you're still
relatively safe.

That doesn't help you if someone comes after you criminally though- and
many pen-testing activities can be construed as illegal in many
jurisdictions (especially important when it's difficult to validate
addressing or worse-yet ownership- often CPE is owned by the provider, and
sometimes business partners or vendors own things in an address space like
stock feeds, benefits package gateways...)

> I know what I have done when I was a full-time employee within my own
> company, but have yet to find a document which seems comfortable for use
> with an external consultant.

There are many, many evolving laws, if I were to do this today, I'd start
with a consulting contract and a lawyer who's versed in the issues.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards