Writing Permission Forms for Network Analysis?

Jacob asks: " I have recently left a consulting/training firm to work in the public sector as a contractor. Part of my job functionality includes analyzing network traffic and security. This of course includes using products such as ethereal, snort, ntop and other network sniffers/analyzers. While working as a consultant I was legally covered by the company in which I worked for. Since I am no longer working for that company I do not have that same protection and I am worried about the possibility of being accused of 'sniffing passwords' or 'viewing confidential data' as a result of a normal network analysis. What is your experience in creating a legally binding contract or permission forms to perform network analysis and/or security audits?"

IANAL, but...

[Jester998]

IMHO, talk to a real lawyer. That way you can be sure the contract is legally binding, as well as probably closing up some legal loopholes that you might overlook yourself.

In situations where you might incur large amounts of liability, it's usually well worth the money to talk to a lawyer.

I know

[The+Bungi]

Buy a one-way plane ticket to Aruba and use it with alacrity.

Good idea. Randall got burned.

[netringer]

Your caution is well founded.

Perl guru Randall Schwartz was criminally prosecuted in the state of Oregon when as a consultant he warned his client's system administrators about poorly secured systems he found. He was convicted of a felony. It cost him over $170,000 in legal fees and $68,000 in restitution. He very nearly went to jail for 90 days.

I'd bet HE'D have some ideas whether the wording in a consulting contract would be good enoughto sabve you from his experience.

Re:Good idea. Randall got burned.

[kmellis]

Schwartz is a bad example. It's been a long time since I reviewed the details of this case, but IIRC, what he did was not in any sense what they were paying him to do. He did it from home, violating security procedures of which he was aware. He had as much business finding and using a security hole as any other person who isn't being paid to find such things--that being none. He broke the law.

Presumably, this guy is being hired to do work that is primarily, or includes, security related. He still should contact a lawyer and get all the wording right and loopholes closed; but even if he doesn't, anything he does do won't be comparable to what Schwartz did.

Don't just talk to a lawyer

[dbrutus]

Also talk to an insurance company. There might be some bonding or other insurance that covers the situation.

Re:Good idea. Randall got burned.

[FattMattP]

Randall Schwartz was criminally prosecuted because he accessed systems at Intel without authorization. What he did to get himself in trouble had nothing to do with what he was originally contracted to do. He cracked passwords to demonstrate to some other individuals that people were using weak passwords and should probably improve their security. No matter how noble his intentions were, he didn't have permission to access those systems nor was he employed to crack the passwords for any type of demonstration. Randal did something really stupid up and paid the price. The best you can do is learn from his mistake.

This is completely different from the story submitter who will have permission to test these networks but just wants a firm legal agreement in place before he performs any work.

Something actually USEFUL to you

[Jeremiah+Cornelius]

Jeesh, guys!

The guy is asking a question here!

You will find most of what you want to know at the SANS Reading Room site. This is an invaluable resource for your line of work.

SANS briefly used an obnoxious password scheme to access this archive, but this has been - thankfully - removed.

Specific to your needs is a "waiver" style document, to be signed by the technical and management authorities resposible for the network you are testing. It defines the behaviors to expect from a consultant and the expectation of impact by the client. A good example, by GIAC candidate Nancy Simpson, is provided here: PENETRATION TEST SAMPLE RULES OF BEHAVIOR .

This is in the Reading Room, under the section Penetration Testing.

You can adapt some of this to your needs - keeping a Lawyer on retainer is a bit steep for a single, independant contractor these days, with contracts like provebial hen's teeth. Insurance isn't probably a bad idea though.

Re:Good idea. Randall got burned.

[FattMattP]

Then I guess you'd hate to work with me. Keep in mind that Randall wasn't an Intel employee. He was a contractor that was brought on to do a specific function. You're probably a student who hasn't entered the workforce yet (or hasn't been there for long) and don't realize that part of getting along with other people in a job is playing politics. I hate it and many other people do too. But if you are going to expose that someone's security isn't up to snuff, and you don't have some political backing to do so, then when it makes the person in charge of said security look bad, you can be sure that they're going to get back at you somehow.

Now if Randall had asked permission to do what he did and received the approval to do so, then that would have been a different story and he wouldn't be in the situation that he found himself in. But Randall didn't ask permission. He assumed authority and responsibility for something to which he was not given and got burned when he was caught.

In other words, Randal did something really stupid up and paid the price.