Firewall Wizards mailing list archives
Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 28 Aug 2004 09:25:20 -0400 (EDT)
On Wed, 25 Aug 2004, Bruce Platt wrote:
Without starting a huge flaming thread ... Have any of you used a "Memo of Understanding" or "Contract" (shudder) when asked to do some "ethical hacking" for a company on their resources, systems, and networks?
I'm not a big pen-test fan, and it's been a while since I did any, however... A contract is pretty much mandatory if you're doing this for a third party. The only time I've used an MOU is when doing it internally for a company, mostly for personal protection from being passed invalid addresses, hitting third party customer availability/functionality issues, etc. I also like to outline the rules of engagement and authority, so that if I'm asked to go beyond them, I have recourse to get it in writing.
I'd like to skip over the topic of Certification for Ethical Hackers and get to the issue of what one might want to include in such a document to protect both oneself and the company. What comes to mind quickly are many of the same sorts of indemnifications, hold-harmless, and liability issues which would apply for a non security related consulting agreement, but with the various sorts of damage which can be done by mistake or carelessness and so forth when asking one to assess a company's security profile, I would think that some of you might have used a document with which you are comfortable in the past, or have a pointer to one.
You'll also want to make sure that your errors and omissions insurance is up to date, and probably make sure you have a specific "cyber insurance" rider- that way if a third party comes after you civilly, you're still relatively safe. That doesn't help you if someone comes after you criminally though- and many pen-testing activities can be construed as illegal in many jurisdictions (especially important when it's difficult to validate addressing or worse-yet ownership- often CPE is owned by the provider, and sometimes business partners or vendors own things in an address space like stock feeds, benefits package gateways...)
I know what I have done when I was a full-time employee within my own company, but have yet to find a document which seems comfortable for use with an external consultant.
There are many, many evolving laws, if I were to do this today, I'd start with a consulting contract and a lawyer who's versed in the issues. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Off-Topic: Memo of Understanding for Using an Ethical Hacker Bruce Platt (Aug 26)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Kerry Thompson (Aug 27)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Paul D. Robertson (Aug 28)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Devdas Bhagat (Aug 28)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Matt Curtin (Aug 28)