Writing Permission Forms for Network Analysis? 21
Jacob asks: " I have recently left a consulting/training firm to work in the public sector as a contractor. Part of my job functionality includes analyzing network traffic and security. This of course includes using products such as ethereal, snort, ntop and other network sniffers/analyzers. While working as a consultant I was legally covered by the company in which I worked for. Since I am no longer working for that company I do not have that same protection and I am worried about the possibility of being accused of 'sniffing passwords' or 'viewing confidential data' as a result of a normal network analysis. What is your experience in creating a legally binding contract or permission forms to perform network analysis and/or security audits?"
IANAL, but... (Score:5, Insightful)
In situations where you might incur large amounts of liability, it's usually well worth the money to talk to a lawyer.
Re:IANAL, but... (Score:2)
I know (Score:4, Funny)
--More Information--- (Score:2, Informative)
I would also like to protect myself should my immediate manager be unavailable to stand up for me (ie. on vacation, changed jobs, etc. etc.).
Re:--More Information--- (Score:2, Interesting)
Good idea. Randall got burned. (Score:4, Informative)
Perl guru Randall Schwartz [stonehenge.com] was criminally prosecuted in the state of Oregon when as a consultant he warned his client's system administrators about poorly secured systems he found. [lightlink.com] He was convicted of a felony. It cost him over $170,000 in legal fees and $68,000 in restitution. He very nearly went to jail for 90 days.
I'd bet HE'D have some ideas whether the wording in a consulting contract would be good enoughto sabve you from his experience.
Re:Good idea. Randall got burned. (Score:3, Informative)
Presumably, this guy is being hired to do work that is primarily, or includes, security related. He still should contact a lawyer and get all the wording right and loopholes closed; but even if he doesn't, anything he does do won't be comparable to what Schwartz did.
Re:Good idea. Randall got burned. (Score:2)
Maybe, but as far as I know he never 1) used the information against the company in any way, and 2) his intention was always to help them improve security. Yes, he was stupid for not getting some sort of permission to probe for security weaknesses, but the employer was much more stupid for how they treated him. A reprimand would have been more than sufficient. I would never want to work for a company that treated people that way, wrong or right.
From what I recall, I don't think he had done this from outside, but rather he had copies of the password files and cracking tools on his work machine. Maybe someone has a link to more specific information, but this is an important distinction.
SGI didn't appreciate the work of the guy who developed "Satan" either. Some people would rather not know about their security holes, then they might have to actually do something to fix them.
Re:Good idea. Randall got burned. (Score:3, Interesting)
This is completely different from the story submitter who will have permission to test these networks but just wants a firm legal agreement in place before he performs any work.
Re:Good idea. Randall got burned. (Score:2)
If working on ones own initiative to help a company you are employed by is something really stupid, I'd hate to work with you.
Re:Good idea. Randall got burned. (Score:3, Interesting)
Now if Randall had asked permission to do what he did and received the approval to do so, then that would have been a different story and he wouldn't be in the situation that he found himself in. But Randall didn't ask permission. He assumed authority and responsibility for something to which he was not given and got burned when he was caught.
In other words, Randal did something really stupid up and paid the price.
Don't just talk to a lawyer (Score:3, Informative)
Something actually USEFUL to you (Score:5, Informative)
The guy is asking a question here!
You will find most of what you want to know at the SANS Reading Room [sans.org] site. This is an invaluable resource for your line of work.
SANS briefly used an obnoxious password scheme to access this archive, but this has been - thankfully - removed.
Specific to your needs is a "waiver" style document, to be signed by the technical and management authorities resposible for the network you are testing. It defines the behaviors to expect from a consultant and the expectation of impact by the client. A good example, by GIAC candidate Nancy Simpson, is provided here: PENETRATION TEST SAMPLE RULES OF BEHAVIOR [sans.org].
This is in the Reading Room, under the section Penetration Testing [sans.org].
You can adapt some of this to your needs - keeping a Lawyer on retainer is a bit steep for a single, independant contractor these days, with contracts like provebial hen's teeth. Insurance isn't probably a bad idea though.
Re:Something actually USEFUL to you (Score:1)
Thanks.
Where? (Score:1)
Are you plugging in at random somewhere? Whose wires are you planning on or presently tapping into?
Re:Where? (Score:1)
If you are contracting your services to them specifically to test their security then your contract that you draw up should include access to their network. Presumably you will be plugging in a box with AirSnort et al and they are supplying you with the data.
As somebody else mentioned above if you're unsure about drawing this up yourself then you should pay a lawyer some money as it isn't really that much hassle and will cover you from a lot more expense if it does go nasty.
If, on the other hand you're going to be running externally eg you're going to do intrusion testing from the internet to try and break their firewall or see if their servers are vulnerable, then the legal status is a lot more hazy. In this case I think that you'd definitely want to get a professional to write up a contract. Does anybody know the detail of that?
check the location bar. (Score:1)