Writing Permission Forms for Network Analysis?

Jacob asks: " I have recently left a consulting/training firm to work in the public sector as a contractor. Part of my job functionality includes analyzing network traffic and security. This of course includes using products such as ethereal, snort, ntop and other network sniffers/analyzers. While working as a consultant I was legally covered by the company in which I worked for. Since I am no longer working for that company I do not have that same protection and I am worried about the possibility of being accused of 'sniffing passwords' or 'viewing confidential data' as a result of a normal network analysis. What is your experience in creating a legally binding contract or permission forms to perform network analysis and/or security audits?"

--More Information---

[jredding]

I am NO LONGER a consultant so I do NOT have the legal protection that I used to have. My manager is aware of what I am doing but I worried about a higher up manager(s) that does not understand the workings of networks and labeling my work as "hacking" or "invasion of privacy".
I would also like to protect myself should my immediate manager be unavailable to stand up for me (ie. on vacation, changed jobs, etc. etc.).

Good idea. Randall got burned.

[netringer]

Your caution is well founded.

Perl guru Randall Schwartz was criminally prosecuted in the state of Oregon when as a consultant he warned his client's system administrators about poorly secured systems he found. He was convicted of a felony. It cost him over $170,000 in legal fees and $68,000 in restitution. He very nearly went to jail for 90 days.

I'd bet HE'D have some ideas whether the wording in a consulting contract would be good enoughto sabve you from his experience.

Re:Good idea. Randall got burned.

[kmellis]

Schwartz is a bad example. It's been a long time since I reviewed the details of this case, but IIRC, what he did was not in any sense what they were paying him to do. He did it from home, violating security procedures of which he was aware. He had as much business finding and using a security hole as any other person who isn't being paid to find such things--that being none. He broke the law.

Presumably, this guy is being hired to do work that is primarily, or includes, security related. He still should contact a lawyer and get all the wording right and loopholes closed; but even if he doesn't, anything he does do won't be comparable to what Schwartz did.

Don't just talk to a lawyer

[dbrutus]

Also talk to an insurance company. There might be some bonding or other insurance that covers the situation.

Something actually USEFUL to you

[Jeremiah+Cornelius]

Jeesh, guys!

The guy is asking a question here!

You will find most of what you want to know at the SANS Reading Room site. This is an invaluable resource for your line of work.

SANS briefly used an obnoxious password scheme to access this archive, but this has been - thankfully - removed.

Specific to your needs is a "waiver" style document, to be signed by the technical and management authorities resposible for the network you are testing. It defines the behaviors to expect from a consultant and the expectation of impact by the client. A good example, by GIAC candidate Nancy Simpson, is provided here: PENETRATION TEST SAMPLE RULES OF BEHAVIOR .

This is in the Reading Room, under the section Penetration Testing.

You can adapt some of this to your needs - keeping a Lawyer on retainer is a bit steep for a single, independant contractor these days, with contracts like provebial hen's teeth. Insurance isn't probably a bad idea though.