Slashdot Mirror

← Back to Stories (view on slashdot.org)

Writing Permission Forms for Network Analysis?

Posted by Cliff on from the covering-your-a dept.

Jacob asks: " I have recently left a consulting/training firm to work in the public sector as a contractor. Part of my job functionality includes analyzing network traffic and security. This of course includes using products such as ethereal, snort, ntop and other network sniffers/analyzers. While working as a consultant I was legally covered by the company in which I worked for. Since I am no longer working for that company I do not have that same protection and I am worried about the possibility of being accused of 'sniffing passwords' or 'viewing confidential data' as a result of a normal network analysis. What is your experience in creating a legally binding contract or permission forms to perform network analysis and/or security audits?"

4 of 21 comments (clear)

  1. IANAL, but... by Jester998 · · Score: 5, Insightful

    IMHO, talk to a real lawyer. That way you can be sure the contract is legally binding, as well as probably closing up some legal loopholes that you might overlook yourself.

    In situations where you might incur large amounts of liability, it's usually well worth the money to talk to a lawyer.

  2. I know by The+Bungi · · Score: 4, Funny

    Buy a one-way plane ticket to Aruba and use it with alacrity.

  3. Good idea. Randall got burned. by netringer · · Score: 4, Informative

    Your caution is well founded.

    Perl guru Randall Schwartz was criminally prosecuted in the state of Oregon when as a consultant he warned his client's system administrators about poorly secured systems he found. He was convicted of a felony. It cost him over $170,000 in legal fees and $68,000 in restitution. He very nearly went to jail for 90 days.

    I'd bet HE'D have some ideas whether the wording in a consulting contract would be good enoughto sabve you from his experience.

    --
    Ever dream you could fly? Get up from the Flight Sim. I Fly
  4. Something actually USEFUL to you by Jeremiah+Cornelius · · Score: 5, Informative
    Jeesh, guys!

    The guy is asking a question here!

    You will find most of what you want to know at the SANS Reading Room site. This is an invaluable resource for your line of work.

    SANS briefly used an obnoxious password scheme to access this archive, but this has been - thankfully - removed.

    Specific to your needs is a "waiver" style document, to be signed by the technical and management authorities resposible for the network you are testing. It defines the behaviors to expect from a consultant and the expectation of impact by the client. A good example, by GIAC candidate Nancy Simpson, is provided here: PENETRATION TEST SAMPLE RULES OF BEHAVIOR .

    This is in the Reading Room, under the section Penetration Testing.

    You can adapt some of this to your needs - keeping a Lawyer on retainer is a bit steep for a single, independant contractor these days, with contracts like provebial hen's teeth. Insurance isn't probably a bad idea though.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."