Penetration Testing mailing list archives
RE: Pen test - Attorney client Privilege?
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Wed, 19 Oct 2005 22:51:04 +1000
I'm not a lawyer either, but see a couple of interesting twists to this approach, in some situations. In the case of the credit card PCI standard, evidence of vulnerability/pen-test activities need to be made available to the accredited PCI auditor (for mid-large sites, anyway). Taking this to one possible extrapolation, will the lawyers be providing relevant statements regarding conduct of tests to the PCI auditor who then relies upon these statements for their own legal indemnity in making statements towards the site's PCI compliance? Are the lawyers going to make assessments as to the meanings and outcomes of the pen/vuln testing to PCI or other auditors? Does this make lawyers involved in liability to one or more third parties with whom the law firm (usually) has no commercial, contractual or legal relationship (e.g. Acquiring Bank, Card Scheme, PCI Auditor)? Would/could this cause the confidentiality shield to be punctured? Of course, this is just ramblings on topics I'm not skilled in - but it looks like anything could happen in PCI environments, imho Lyal -----Original Message----- From: Paul Robertson [mailto:compuwar () gmail com] Sent: Sunday, 16 October 2005 10:50 PM To: rob havelt Cc: pen-test () securityfocus com Subject: Re: Pen test - Attorney client Privilege? Disclaimer: I am not a lawyer and I don't play one on the 'Net. On 10/15/05, rob havelt <rob () cobal org> wrote:
Hi All, Lately I've been seeing some stuff on the legal end of Penetration Testing, and have had some clients ask, and I thought that it would be an interesting question to pose to the list. Mainly I've been seeing articles like this one: <http://webmail.intelligentconnections.net/exchange/rhavelt/Inbox/FW:% 20Contract%20Question.EML//exchweb/bin/redir.asp?URL=http://searchsecu rity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html? track=NL-358%26ad=530198USCA>http://searchsecurity.techtarget.com/orig inalContent/0,289142,sid14_gci1131713,00.html?track=NL-358&ad=530198US CA
Frankly, I'm surprised Shawna wrote that without any dissenting opinion. I've spent some time doing some research on privilege (it seems to me to be a good shield when doing computer forensics where generally we're working on evidence for a case or in preparation for a case.) It doesn't seem to me that pen-testing can be construed as such except in a very narrow set of cirucmstances. I don't know who else Shawna talked to for the story, of if her research says something other than mine, so I'm going to try to drag her into this discussion via BCC- hopefully if she responds the list moderators will let it through if she's not subscribed to the list.
That suggest that a penetration test should be commissioned by, and the results delivered to an organization's legal department in such a way where the results of the test will be covered by attorney client privilege...
Nice thought, however privilege isn't blanket and generally is extended only to things where (a) they're directly related to legal advice or litigation and (b) the attorney is acting as counsel *not* as a corporate officer. In this case, I'd think you'd trip both of those exceptions rather quickly by running the contract through the legal department. "Hey, we need some legal advice on the vulnerability of our network" seems to be a pretty large stretch to me. Enron would have been difficult to catch if they'd just gotten more legal advice on their accounting practices, trading practices and oversight, eh? For the SDNY's take on this, see: http://www.torys.com/publications/pdf/CM1996-1N.pdf If you look at the citations, you'll quickly come to the conclusion that at least in the 2nd circuit the courts would take a dim view of such attempts to cover business process with privilege.
The main crux of the suggestion was to insulate an organization against the liability of not implementing all the suggestions and recommendations in the report - I.E. if they were sued later the results of the penetration test would be available to the plaintiff during the discovery process under normal circumstances - the test was commissioned by the IT or Risk Management department, but it would be privilege info if it were commissioned by legal...
If shielding common business practice by routing it through the legal department were possible, then *everything* would go through the legal department. The courts have become increasingly wary of granting privilige over the years, and such abuse is likely to be summarily dealt with by the bench. I wonder if the folks cited in the article have really done any homework on this, or if they're simply outside counsel looking for billable hours? Next thing someone will suggest the lawyers actually *do* the testing.
Has anyone faced this in their client interactions? Or done this before? How does setting that up look exactly? And does anyone have any thought of the effectiveness of this?
IMO, zero. Privilege is extended to communiations made in confidence between two parties for the purpose of obtaining or providing legal assistance to the client- I don't think pen testing meets the bar of legal assistance. You'd also be hard-pressed to make a 5th ammendment argument, which is the other potential bar I found in my research. Now, each state has its own statutes, so there may be a state or two where the statute provides some wiggle room for shielding, but overall I think it's disingeneous to think that just having a legal department do the contracting is going to shield the results from legal discovery during due process. Judges sign discovery orders, and they're not all that likely to limit the power of due process without a compelling reason.
To me it seems like that would be a very easy way to get an unfavorable report buried very quickly so that it ostensibly has no visibility in the organization. I've also wondered how the results are communicated between say, legal and the IT group or the rest of the organization in this case? Anyway, just something I though was interesting is all...
Frankly, if I were asked about something like this, I'd advise going after the pen-test company first- if they recommended it, handing out legal advice might be an issue. If the client wants to do things that way, I'd suggest revamping your contracts to plant defense and discovery costs firmly in their court. Though if you're contracting with legal, expect your pre-sales legal work to skyrocket, and contract negotiations to be a lot more difficult, and terms not as favorable. I don't expect lawyers to hold to generic contracts when they're one of the contracting parties. Paul -- www.compuwar.net ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Pen test - Attorney client Privilege? rob havelt (Oct 15)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 16)
- Message not available
- Re: Pen test - Attorney client Privilege? rob havelt (Oct 16)
- Message not available
- RE: Pen test - Attorney client Privilege? Lyal Collins (Oct 19)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 19)
- Re: Pen test - Attorney client Privilege? ma.teo (Oct 19)
- Re: Pen test - Attorney client Privilege? Thor (Hammer of God) (Oct 19)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 16)
- <Possible follow-ups>
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 20)