Re: [fw-wiz] Off-Topic: Memo of Understanding for Using an Ethical Hacker

From: Matt Curtin (
Date: 08/26/04

  • Next message: Bruce Platt: "RE: [fw-wiz] Netscreen compatibility"
    To: Bruce Platt <>
    Date: Thu, 26 Aug 2004 07:32:48 -0400

    Bruce Platt <> writes:

    > Have any of you used a "Memo of Understanding" or "Contract"
    > (shudder) when asked to do some "ethical hacking" for a company on
    > their resources, systems, and networks?

    We do for penetration testing, much like we do for any other kind of
    service that we perform.

    Anyone doing this kind of thing should address several key issues:

     o Get your contract drafted by an attorney who understands
       appropriate areas of law (e.g., what you're doing, technology,
       contracts, local/state statutes). Do not try to skimp on this. If
       you're not willing to spend a few hundred bucks to get your
       contract right, to give your client(s) the appropriate notification
       of their terms and conditions, to give yourself appropriate
       protection against litigious clients whose ancient VMS system you
       kicked over without having any chance to discover its presence
       first, etc., you're not really in the business.

     o After you get your standard terms and conditions drafted, be sure
       that you have an appropriate level of insurance, for both liability
       and E&O purposes. Make sure that your underwriter sees your
       standard terms and conditions. Be prepared to pay out the wazoo
       for coverage that is worth having, and expect that your rates will
       get jacked up significantly every year even though you don't have
       any claim made. This is a high risk business, and worse, insurers
       don't have a lot of data on these policies yet, so they're looking
       at all of the unknowns as risks.

     o Be prepared for contract negotiations with almost every client who
       will want to change a word or two here or there for no good
       reason. The same attorney renegotiating a contract that has
       expired might well want to start with the old contract and then
       tweak the language so it goes back to what you had in the first
       place. It's completely insane, but that's part of the deal --
       comfort of the client is very important in this business, so if you
       have to wear a party hat and play a kazoo to keep people
       comfortable, that's part of the deal. Have an attorney handle all
       contract negotiations -- perhaps not directly, but don't agree to
       anything without getting your attorney's blessing or understanding
       what risks you're taking on by not taking the attorney's advice.

       Sometimes you won't be able to start with your standard terms and
       conditions, but will need to start with the client's standard terms
       and conditions. I've seen this work well and I've seen it be
       ugly. Again, make sure an attorney who understands your standard
       terms is working contract negotiation to get the language you want
       in there.

     o You don't need your terms and conditions to be a book. We have a
       plain-language preamble that explains what we're after (in a
       nutshell, it says that we're going to do as good a job as can be
       done, which is why you've hired us, but there are lots of
       unknowns...) in the engagement. That is just under one page long,
       and it is followed by four pages of legalese that covers all of the
       services we offer from penetration testing to application
       development and regulatory compliance to information infrastructure
       management. Something that is focused solely on a single
       engagement of penetration testing shouldn't be huge. Just say what
       you're both trying to get out of the engagement, what you'll do,
       and what you are on the hook for. The longer it is, the bigger the
       risk of having language that conflicts with other language, and it
       can just turn into a big mess.

     o You might want also to ensure that you get some part of the payment
       up front, anything in the neighborhood of ten to fifty percent,
       depending on the size of the engagement. This will have several
       other benefits, but having a check in-hand also allows you to have
       some reasonable verification that the money is actually coming from
       someone who is authorized to engage you, as opposed to a piece of
       paper that someone signed that warrants it with nothing to stand
       behind it.

    Matt Curtin, CISSP, IAM, INTP.  Keywords: Lisp, Unix, Internet, INFOSEC.
    Founder, Interhack Corporation +1 614 545 HACK
    Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001)
    firewall-wizards mailing list

  • Next message: Bruce Platt: "RE: [fw-wiz] Netscreen compatibility"

    Relevant Pages

    • Re: Rolling contracts to end
      ... change supplier. ... That is unfair. ... I have made my choice, I can either stay on the standard terms with initial 12 month contact and then one months notice, or for zero extra cost but I can have inclusive E&W calls + callerid on the renewing contract, each 12 months I can choose whether to extend for a further 12 months or revert to the standard terms, or move supplier, or I can buy out for £3month of the remaining term. ...
    • Re: The Borland Vision: Wrong?
      ... There is too much room for subjectivity to make any contract ... OK, if you can negotiate an individual contract with the supplier, yes it ... mass-market product's standard terms. ...