Writing Permission Forms for Network Analysis? 21
Jacob asks: " I have recently left a consulting/training firm to work in the public sector as a contractor. Part of my job functionality includes analyzing network traffic and security. This of course includes using products such as ethereal, snort, ntop and other network sniffers/analyzers. While working as a consultant I was legally covered by the company in which I worked for. Since I am no longer working for that company I do not have that same protection and I am worried about the possibility of being accused of 'sniffing passwords' or 'viewing confidential data' as a result of a normal network analysis. What is your experience in creating a legally binding contract or permission forms to perform network analysis and/or security audits?"
--More Information--- (Score:2, Informative)
I would also like to protect myself should my immediate manager be unavailable to stand up for me (ie. on vacation, changed jobs, etc. etc.).
Good idea. Randall got burned. (Score:4, Informative)
Perl guru Randall Schwartz [stonehenge.com] was criminally prosecuted in the state of Oregon when as a consultant he warned his client's system administrators about poorly secured systems he found. [lightlink.com] He was convicted of a felony. It cost him over $170,000 in legal fees and $68,000 in restitution. He very nearly went to jail for 90 days.
I'd bet HE'D have some ideas whether the wording in a consulting contract would be good enoughto sabve you from his experience.
Re:Good idea. Randall got burned. (Score:3, Informative)
Presumably, this guy is being hired to do work that is primarily, or includes, security related. He still should contact a lawyer and get all the wording right and loopholes closed; but even if he doesn't, anything he does do won't be comparable to what Schwartz did.
Don't just talk to a lawyer (Score:3, Informative)
Something actually USEFUL to you (Score:5, Informative)
The guy is asking a question here!
You will find most of what you want to know at the SANS Reading Room [sans.org] site. This is an invaluable resource for your line of work.
SANS briefly used an obnoxious password scheme to access this archive, but this has been - thankfully - removed.
Specific to your needs is a "waiver" style document, to be signed by the technical and management authorities resposible for the network you are testing. It defines the behaviors to expect from a consultant and the expectation of impact by the client. A good example, by GIAC candidate Nancy Simpson, is provided here: PENETRATION TEST SAMPLE RULES OF BEHAVIOR [sans.org].
This is in the Reading Room, under the section Penetration Testing [sans.org].
You can adapt some of this to your needs - keeping a Lawyer on retainer is a bit steep for a single, independant contractor these days, with contracts like provebial hen's teeth. Insurance isn't probably a bad idea though.