Penetration Testing mailing list archives
Re: [PEN-TEST] Legalities and Liabilities
From: Wandering One <wanderingone () CORE COM>
Date: Wed, 13 Sep 2000 15:55:25 -0500
I have some questions regarding the legal aspects of penetration testing (I'm hoping this hasn't be answered on the list before, I haven't had time to keep up for the past couple of weeks). 1.) Before a pen/sec test takes place, what type of legal documentation should be obtained (disclaimers, limitation of liability, etc..)?
I would look for such things as the scope of the audit. Work with the client and ensure that the client understands the terms that you are going to use to describe the results and also what terms that you use to describe the scope of the project. This scope should outline the details such as what machines, and to what extent should you test them. (IE is it alright for me to hit them with everything in my arsenal or keep it to non-intrusive measures to ensure 100% uptime for the client throughout the pen-test). If you are going to use social engineering and/or hacks into HR material ensure that this is mentioned as these can be sensitive subjects. Ask them before you do it and get it in writing what it is that they want you to 'liberate' from their systems to show that you did the pen-test and that you knew what you were doing. Possibly list all the things you could possibly give them as proof, and ensure that they feel comfortable with all listed items.
2.) What are major topics that should be discussed and included in a contract between the pen/sec company and their client? Should a contract even be written up in the first place?
By all means write that contract. One it ensures that there is an understanding, and with enough wording not give either side a way out of paying for the services, and for another it's to ensure that you understand what it is that you will be doing so as not to exceed or completely miss the mark of the contract.
3.) When conducting a pen/sec test what legal issues should be kept in mind (e.g.. get out of jail free type of stuff).
List everything that you could possibly return with (liberated from their systems) ensure that there is an understanding the documentation that you provide includes where you get it from. Other then that I've seen a few differently worded contracts prepared by lawyers once the technical details were ironed out, and I'm not comfortable commenting on the more direct legal issues.
5.) After a pen/sec test, if the client's network is cracked, can the pen/sec company be held responsible?
Depends on the scopes and liabilities on the contracts. But since our legal system is the best that money can buy, you could possibly have the most iron-clad contract and still get sued. So I'm not sure if there is any real protection, be careful of the companies with which you do business with is one suggestion.
6.) If the pen/sec company offers services such as actual securing of systems, can they be held responsible if the systems they secured are cracked?
Possibly. This again should be covered in the contract, and anything that was not done by the contract and you as a security professional know that such an opening exists, document it and CYA everything. It's sad what the industry has come to but CYA along with good project management methodology can save you face and money in the long run. Mention in the contract that you are not responsible for new 'attacks' dreamed up after a specified date (set after you finish the project). There may be other wording and or additions to the contract that can be used. One of the things that I have offered in the past is a 6 month period during which for a flat fee a month I would keep the company updated on the latest trends in attacks as well as any simple changes they could make on the system's that I secured. This sort of served as a vetting of the Bugtraq's specific to that customer. Not many companies took that, but I would have pointed to that as well as the risk analysis statement in which I had mentioned that continuous maintenance of their security architecture is a must to reduce any future risks, etc...
I'd appreciate as much feed back as possible. Once again I apologize if this has already been discussed.
Just a few thoughts off the top of my head, let me know if you want more. Wandering One
Current thread:
- [PEN-TEST] Legalities and Liabilities Ben Lull (Sep 12)
- Re: [PEN-TEST] Legalities and Liabilities Dan Ryan (Sep 12)
- Re: [PEN-TEST] Legalities and Liabilities Tim Kramer (Sep 13)
- Re: [PEN-TEST] Legalities and Liabilities Coderian (Sep 12)
- Re: [PEN-TEST] Legalities and Liabilities Wandering One (Sep 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Legalities and Liabilities Bhanu Prasad (Sep 12)
- Re: [PEN-TEST] Legalities and Liabilities Dan Ryan (Sep 12)