Re: [PEN-TEST] Legalities and Liabilities

[Wandering One <wanderingone () CORE COM>]

>     I have some questions regarding the legal aspects of penetration
> testing (I'm  hoping this hasn't be answered on the list before,
> I haven't had time to keep up for the past couple of weeks).
>
> 1.) Before a pen/sec test takes place, what type of legal documentation
> should be obtained (disclaimers, limitation of liability, etc..)?

I would look for such things as the scope of the audit.  Work with the
client and ensure that the client understands the terms that you are going
to use to describe the results and also what terms that you use to describe
the scope of the project.  This scope should outline the details such as
what machines, and to what extent should you test them.  (IE is it alright
for me to hit them with everything in my arsenal or keep it to non-intrusive
measures to ensure 100% uptime for the client throughout the pen-test).  If
you are going to use social engineering and/or hacks into HR material ensure
that this is mentioned as these can be sensitive subjects.  Ask them before
you do it and get it in writing what it is that they want you to 'liberate'
from their systems to show that you did the pen-test and that you knew what
you were doing.

Possibly list all the things you could possibly give them as proof, and
ensure that they feel comfortable with all listed items.
> 2.) What are major topics that should be discussed and included in a
> contract between the pen/sec company and their client?  Should a
> contract even be written up in the first place?

By all means write that contract.  One it ensures that there is an
understanding, and with enough wording not give either side a way out of
paying for the services, and for another it's to ensure that you understand
what it is that you will be doing so as not to exceed or completely miss the
mark of the contract.

> 3.) When conducting a pen/sec test what legal issues should be kept in
> mind (e.g.. get out of jail free type of stuff).

List everything that you could possibly return with (liberated from their
systems) ensure that there is an understanding the documentation that you
provide includes where you get it from.  Other then that I've seen a few
differently worded contracts prepared by lawyers once the technical details
were ironed out, and I'm not comfortable commenting on the more direct legal
issues.

> 5.) After a pen/sec test, if the client's network is cracked, can the
> pen/sec company be held responsible?

Depends on the scopes and liabilities on the contracts.  But since our legal
system is the best that money can buy, you could possibly have the most
iron-clad contract and still get sued.  So I'm not sure if there is any real
protection, be careful of the companies with which you do business with is
one suggestion.

> 6.) If the pen/sec company offers services such as actual securing of
> systems, can they be held responsible if the systems they secured are
> cracked?

Possibly.  This again should be covered in the contract, and anything that
was not done by the contract and you as a security professional know that
such an opening exists, document it and CYA everything.  It's sad what the
industry has come to but CYA along with good project management methodology
can save you face and money in the long run.  Mention in the contract that
you are not responsible for new 'attacks' dreamed up after a specified date
(set after you finish the project).  There may be other wording and or
additions to the contract that can be used.  One of the things that I have
offered in the past is a 6 month period during which for a flat fee a month
I would keep the company updated on the latest trends in attacks as well as
any simple changes they could make on the system's that I secured.  This
sort of served as a vetting of the Bugtraq's specific to that customer.  Not
many companies took that, but I would have pointed to that as well as the
risk analysis statement in which I had mentioned that continuous maintenance
of their security architecture is a must to reduce any future risks, etc...
> I'd appreciate as much feed back as possible.  Once again I apologize if
> this has already been discussed.

Just a few thoughts off the top of my head, let me know if you want more.

Wandering One