Re: [fw-wiz] Off-Topic: Memo of Understanding for Using an Ethical Hacker

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 08/28/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] IPv6 and IPSec" 
    To: Bruce Platt <Bruce@ei3.com>
Date: Sat, 28 Aug 2004 09:25:20 -0400 (EDT)

    On Wed, 25 Aug 2004, Bruce Platt wrote:

    > Without starting a huge flaming thread ...
    >
    > Have any of you used a "Memo of Understanding" or "Contract" (shudder) when
    > asked to do some "ethical hacking" for a company on their resources,
    > systems, and networks?

    I'm not a big pen-test fan, and it's been a while since I did
    any, however...

    A contract is pretty much mandatory if you're doing this for a third
    party. The only time I've used an MOU is when doing it internally for a
    company, mostly for personal protection from being passed invalid
    addresses, hitting third party customer availability/functionality issues,
    etc. I also like to outline the rules of engagement and authority, so
    that if I'm asked to go beyond them, I have recourse to get it in writing.

    > I'd like to skip over the topic of Certification for Ethical Hackers and get
    > to the issue of what one might want to include in such a document to protect
    > both oneself and the company.
    >
    > What comes to mind quickly are many of the same sorts of indemnifications,
    > hold-harmless, and liability issues which would apply for a non security
    > related consulting agreement, but with the various sorts of damage which can
    > be done by mistake or carelessness and so forth when asking one to assess a
    > company's security profile, I would think that some of you might have used a
    > document with which you are comfortable in the past, or have a pointer to
    > one.

    You'll also want to make sure that your errors and omissions insurance is
    up to date, and probably make sure you have a specific "cyber insurance"
    rider- that way if a third party comes after you civilly, you're still
    relatively safe.

    That doesn't help you if someone comes after you criminally though- and
    many pen-testing activities can be construed as illegal in many
    jurisdictions (especially important when it's difficult to validate
    addressing or worse-yet ownership- often CPE is owned by the provider, and
    sometimes business partners or vendors own things in an address space like
    stock feeds, benefits package gateways...)

    > I know what I have done when I was a full-time employee within my own
    > company, but have yet to find a document which seems comfortable for use
    > with an external consultant.

    There are many, many evolving laws, if I were to do this today, I'd start
    with a consulting contract and a lawyer who's versed in the issues.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] IPv6 and IPSec"