lptv4 module 12 customers and legal agreements

ECSA/LPTECSA/LPT

EC CouncilModule XII

EC-Council Customers and Legal Agreements

Module Objective

This module will deal with various legal agreements of This module will deal with various legal agreements of penetration testing.

l d f h d fIt also defines the need for penetration testing, stages of penetration testing, and the customer requirements.

It also focus on rules of behavior and risks associated with penetration testing.

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Module Flow

Why do Organizations Initial Stages in Create a Checklist of Why do Organizations Need Pen-Testing?

Initial Stages in Penetration Testing

Create a Checklist of Testing Requirements

Confidentiality and NDA Agreements

Penetration Testing by Third Parties

Penetration Testing ‘Rules of Behavior

Penetration Testing Contract

Liability Issues Drafting Contracts



Why do Organizations Need Pen-Testing?Testing?

O i ti d t id t t t Organizations need an outside party to try and “break in” (do a penetration test) to prove how good they are.

Internal bureaucratic need to prove to others in the company how insecure their p ysystems are.

Legal requirements make it necessary to conduct a pen-test, such as HIPAA.



Initial Stages in Penetration TestingTesting

Checklist ofPen-Test Services

that will be Provided

Identify Customer

Requirements

Draft Legal AgreementBoth Parties Agree and Sign



Understand Customer RequirementsRequirements

Identify what needs to be tested:

• Servers• Workstations• Routers• FirewallsFirewalls• Networking devices• Cabling• Databases

A li ti

Create a checklist of testing requirements

• Applications• Physical security

Create a checklist of testing requirements

Identify the time frame and testing hours



Identify who will be involved in the reporting and document delivery

Create a Checklist of Testing RequirementsRequirements

Do you have any security-related policies and standards?

If so, do you want us to review them?

Do you want us to perform a review of the physical security of your servers and network infrastructure?

How many Internet domains do you have?

How many Internet hosts do you have?How many Internet hosts do you have?

Do you want us to map your Internet presence? Otherwise, can you provide us with a detailed diagram of your Internet presence, including addresses, host OS types, and software in use on the hosts?

What addresses are in use on both sides of the hosts if the connect to both the Internet and the internal What addresses are in use on both sides of the hosts if they connect to both the Internet and the internal network

Do you want us to review the security of your routers and hubs?



If so, how many routers and hubs exist on your network?

Create a Checklist of Testing Requirements (cont’d)Requirements (cont d)

Do you want us to perform a security review of the workstations on the network?

What operating systems are the workstations running?

How many workstations needs to be tested?How many workstations needs to be tested?

Our review will assess five or less servers of each type (NT, UNIX, and Novell); do you want us to review more than that?

If h f h?If so, how many of each?

Do you want denial-of-service testing to be conducted? This testing can have adverse effects on the systems tested. We can arrange to do this test during nonproduction hours.

Do you want us to perform a modem scan of your analog phone lines?

What kind of RAS server are you using, and how many modems are used?



Do you want us to travel to other sites to perform assessments on systems?

Penetration Testing ‘Rules of Behavior’Rules of Behavior

Penetration ‘rules of behavior’ is a test agreement that outlines the framework for external and internal penetration testing.

Prior to testing, this agreement is signed by representatives from both the target organization and the penetration t ti i ti t th i testing organization to ensure there is a common understanding of the limitations, constraints, liabilities, and indemnification considerations.

A Release and Authorization form may be required (in addition to the ‘rules of behavior’) that states that the penetration testing organization will be held harmless and not criminally liable for unintentional interruptions and loss



not criminally liable for unintentional interruptions and loss or damage to equipment.

Penetration Testing Risks

Penetration testing can have serious risks if not performed correctly.g p y

Normally, companies continue to conduct business when these tests are performed.are performed.

This could impact the company if the system goes down.

Machines and systems tested could be expensive.



Penetration Testing Risks (cont’d)(cont d)

Configurations and ongoing costs are

Client databases

Configurations and ongoing costs are high electronic assets like:

• Client databases.• Proprietary codes.• Documentation.

I t ll t l t• Intellectual property.



Penetration Testing by Third PartiesParties

Reasons why organizations approach third

• To find the vulnerabilities which were not found by the i t l dit

y g ppparties for testing include:

internal audits.• To provide third-party assurances for the customers.• Scarcity of skilled pen testers to perform critical tests.• It is cost effective than recruiting skilled penetration testers• It is cost effective than recruiting skilled penetration testers.



Precautions While Outsourcing Penetration TestingPenetration Testing

Check if the service provider is misusing sensitive information obtained during penetration testing.

Ensure that the service provider does not leave any vulnerabilities.

Check that the service provider does not pass any information to the targets.

Assure that the service provider is skilled to perform the test and reports h fl h h l



the flaws to the management in a non-technical way.

Legal Consequences

Proper permission in writing must be obtained before the test starts:

• A request from a company employee to perform penetration test is not a valid request.

• If that person does not have the authorization and things go wrong then be prepared to pay “huge” legal fees for damages.

The authorizations must come from senior director of h d lthe company and not any employee.

Legal agreements must be signed before conducting g g g gany penetration testing.

Hi l d th h th t t



Hire a lawyer and go through the contract.

Get Out of Jail Free Card

The “Get Out of Jail Free Card” entails a legal agreement The Get Out of Jail Free Card entails a legal agreement signed by an authorized representative of the organization.

The agreement outlines the types of activities to be performed and indemnifying the tester against any loss or damage that may result from the testingmay result from the testing.



Permitted Items in Legal AgreementAgreement



Confidentiality and NDA Agreements Agreements

You will also be signing an agreement that guarantees that the company’s information will be treated confidentially.

It will also provide cover for a number of other key areas, such as negligence and liability in the event of something

d h iuntoward happening.

Many documents and other information regarding pen-Many documents and other information regarding pentest contain critical information that could damage one or both parties if improperly disclosed.



Non-Disclosure and Secrecy Agreements (NDA)Agreements (NDA)

Both parties bear responsibility to protect tools, techniques, l biliti d i f ti f di l b d th t vulnerabilities, and information from disclosure beyond the terms

specified by a written agreement.

Non-disclosure agreements should be narrowly drawn to protect Non-disclosure agreements should be narrowly drawn to protect sensitive information.

• Ownership.U f h l i

Specific areas to consider include:

• Use of the evaluation reports.• Results; use of the testing methodology in customer

documentation.



The Contract

The penetration testing contract must be drafted by a lawyer and signed by the penetration tester and the company.

Th t t t l l t t th f ll i

• Objective of the penetration test.S i i i f i

The contract must clearly state the following:

• Sensitive information.• Indemnification clause.• Non-disclosure clause.• Fees and project schedule• Fees and project schedule.• Confidential information.• Reporting and responsibilities.



Sample Penetration Testing ContractContract

The client understands that Internet security is a continually growing and y y g gchanging field and that testing by XSECURITY does not mean that the client’s site is secure from every form of attack. There is no such thing as 100% security testing and for example100% security testing, and for example it is never possible to test for vulnerabilities in software or systems that are not known at the time of testing or the mathematically complete set of all possible inputs/outputs for each software component in use.



Penetration Testing Contract (cont’d)(cont d)

The provider shall be under no liability whatever to the buyer for any indirect y yloss and/or expense (including loss of profit) suffered by the buyer arising out of a breach by the provider of this contract. In the event of any breach of this contract by the provider thethis contract by the provider the remedies of the buyer shall be limited to a maximum of fees paid by the client.



Penetration Testing Contract (cont’d)(cont d)

The provider and the client have imparted and may from time to time p yimpart to each other certain confidential information relating to each other’s business including specific documentation. Each party agrees that it shall use such confidentialit shall use such confidential information solely for the purposes of the service and that it shall not disclose directly or indirectly to any third party such information either expressed or otherwise.



Sample Rules of Engagement DocumentDocument



Liability Issues

A company’s legal liability can arise as a result of:

• (a) Standards and penalties imposed by federal, state, or local governments.

A company s legal liability can arise as a result of:

governments.• (b) Breach of contractual agreements.• (c) Other non-contractual civil wrongs (torts) ranging from fraud,

invasion of privacy, and conversion to deceptive trade practices and negligencenegligence.

• Federal and state statutes may impose both criminal penalties as well as form the basis for private lawsuits.



Negligence Claim

The negligence claim of liability is based in a charge that the company and its officers and directors acted “negligently”.

In law, “negligence” arises when a party owed a legal duty to another, that duty is breached, and the breach causes damages to the injured party:breach causes damages to the injured party:

• For example: A company is required to protect the customer database with reasonable measures.



“Ignorance of the law is no excuse, and failure to keep pace with statutory

i i fi f li bili ”requirements is a first source of liability”



Plan for the Worst

If you sense that something will go wrong during pen-test, then thi WILL something WILL go wrong.

Nothing can completely prevent your pen-test team from liability.Nothing can completely prevent your pen test team from liability.

Plan a crisis management and communications strategy.Plan a crisis management and communications strategy.

Lost or compromised information can invite lawsuits and create liability despite a track record showing your pen-test team exercised a liability despite a track record showing your pen test team exercised a reasonable standard of care in trying to protect information.

Avoiding liability involves planning for problems



Avoiding liability involves planning for problems.

Drafting Contracts

The pen-test contract is the most important tool used to define and regulate the legal relationship between the penetration tester and the regulate the legal relationship between the penetration tester and the customer.

It protects both parties from

S f

It protects both parties from misunderstandings and includes various agreements, such as:

• Scope of test.• Performance Standards.• Security and Confidentiality.• Audit Information.• Reporting and Cost.• Ownership and License.• Dispute Resolution and Indemnification.



How Much to Charge?

P i i i i i

• Pricing will usually be based on the number of man-days

Penetration testing pricing varies:

Pricing will usually be based on the number of man days required to fulfill the scope of the project

• Number of client computers to be tested• Number of server computers to be testedp• Different price for tests such as social engineering,

competitive intelligence, stealing laptops, physical security



Summary

Penetration testing helps to trace the vulnerabilities and weaknesses existing in our network. It also enables to identify strengths, weaknesses, threats, and defenses to the network of organization from new exploits which boom daily.

Penetration ‘rules of behavior’ is a test agreement that outlines the framework for external and internal penetration testing.

“Get Out of Jail Free Card” agreement outlines the types of activities to be performed and indemnifying the tester against any loss or damage that may result from the testing.

Nondisclosure agreements (NDAs) protect an organization’s confidential information during business dealings with customers, suppliers, employees and the press.

Drafting Contract, Negligence claims are aimed to perform test under mutually agreed environment and they ensure pen-test’s success.

Plan a crisis management and communications strategy. Lost or compromised information can invite l it d t li bilit d it t k d h i t t t i d bl



lawsuits and create liability despite a track record showing your pen-test team exercised a reasonable standard of care in trying to protect information.

lptv4 module 12 customers and legal agreements

Documents

stages of penetration

eccouncilall rights

internet hosts

penetration testingcreate

legal requirements

internet presence

internet domains

organizations initial