LPTv4 Module 12 Customers and Legal Agreements

ECSA/LPT
EC Council
EC-Council
Module XII
Customers and Legal
Agreements
Module Objective
This module will deal with various legal agreements of
penetration testing.
It also
l d
defines
f
the
h need
d ffor penetration testing, stages
of penetration testing, and the customer requirements.
It also focus on rules of behavior and risks associated
with penetration testing.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Why do Organizations
Need Pen-Testing?
Initial Stages in
Penetration Testing
Create a Checklist of
Testing Requirements
Confidentiality and
NDA Agreements
Penetration Testing
by Third Parties
Penetration Testing
Rules of Behavior
Penetration Testing
Contract
Liability Issues
EC-Council
Drafting Contracts
Why do Organizations Need PenTesting?

Organizations
O
i ti
need
d an outside
t id party
t tto ttry
and break in (do a penetration test) to
prove how good they are.
Internal bureaucratic need to prove to
others in the company
p y how insecure their
systems are.
Legal requirements make it necessary to
conduct a pen-test, such as HIPAA.
EC-Council
Initial Stages in Penetration

Testing
Identify
Customer
Requirements
Both Parties Agree and Sign
EC-Council
Checklist of
Pen-Test Services
that will be Provided
Draft Legal Agreement
Understand Customer
Requirements
Identify what needs to be tested:
Servers
Workstations
Routers
Firewalls
Networking devices
Cabling
Databases
A li ti
Applications
Physical security
Create a checklist of testing requirements

Identify the time frame and testing hours
Identify who will be involved in the reporting and document delivery
EC-Council
Create a Checklist of Testing

Requirements
Do you have any security-related policies and standards?
If so, do you want us to review them?
Do you want us to perform a review of the physical security of your servers and network infrastructure?
How many Internet domains do you have?
How many Internet hosts do you have?
Do you want us to map your Internet presence? Otherwise, can you provide us with a detailed diagram of
your Internet presence, including addresses, host OS types, and software in use on the hosts?
What addresses are in use on both sides of the hosts if they
the connect to both the Internet and the internal
network
Do you want us to review the security of your routers and hubs?
If so, how many routers and hubs exist on your network?
EC-Council
Create a Checklist of Testing

Requirements (cont
(contd)
d)
Do you want us to perform a security review of the workstations on the network?
What operating systems are the workstations running?
How many workstations needs to be tested?
Our review will assess five or less servers of each type (NT, UNIX, and Novell); do you want us to review
more than that?
If so, h
how many off each?
h?
Do you want denial-of-service testing to be conducted? This testing can have adverse effects on the
systems tested. We can arrange to do this test during nonproduction hours.
Do you want us to perform a modem scan of your analog phone lines?
What kind of RAS server are you using, and how many modems are used?
Do you want us to travel to other sites to perform assessments on systems?
EC-Council
Penetration Testing
Rules
Rules of Behavior
Behavior
Penetration rules of behavior is a test agreement that
outlines the framework for external and internal penetration
testing.
Prior to testing, this agreement is signed by representatives

from both the target organization and the penetration
t ti organization
testing
i ti tto ensure th
there iis a common
understanding of the limitations, constraints, liabilities, and
indemnification considerations.
A Release and Authorization form may be required (in
addition to the rules of behavior) that states that the
penetration testing organization will be held harmless and
not criminally liable for unintentional interruptions and loss
or damage to equipment.
EC-Council
Penetration Testing Risks

Penetration testing
g can have serious risks if not p
performed correctly.
y
Normally, companies continue to conduct business when these tests
are performed.
This could impact the company if the system goes down.
Machines and systems tested could be expensive.
EC-Council
Penetration Testing Risks

(cont d)
(contd)
Configurations and ongoing costs are
high electronic assets like:
EC-Council
Client databases.
databases
Proprietary codes.
Documentation.
I t ll t l property.
Intellectual
t
Penetration Testing by Third

Parties
Reasons whyy organizations
g
approach
pp
third
parties for testing include:
To find the vulnerabilities which were not found by the
i t
internal
l audits.
dit
To provide third-party assurances for the customers.
Scarcity of skilled pen testers to perform critical tests.
It is cost effective than recruiting skilled penetration testers.
testers
EC-Council
Precautions While Outsourcing

Penetration Testing
Check if the service provider is misusing sensitive information obtained
during penetration testing.
Ensure that the service provider does not leave any vulnerabilities.
Check that the service provider does not pass any information to the
targets.
Assure that the service provider is skilled to perform the test and reports
the
h fl
flaws to the
h management in a non-technical
h
l way.
EC-Council
Legal Consequences
Proper permission in writing must be obtained before
the test starts:
A request from a company employee to perform penetration test
is not a valid request.
If that person does not have the authorization and things go
wrong then be prepared to pay huge legal fees for damages.
The authorizations must come from senior director of

the
h company and
d not any employee.
l
Legal
g agreements
g
must be signed
g
before conducting
g
any penetration testing.
Hi a lawyer
Hire
l
and
d go th
through
h th
the contract.
t t
EC-Council
Get Out of Jail Free Card

The Get
Get Out of Jail Free Card
Card entails a legal agreement
signed by an authorized representative of the organization.
The agreement outlines the types of activities to be performed
and indemnifying the tester against any loss or damage that
may result from the testing.
testing
EC-Council
Permitted Items in Legal

Agreement
EC-Council
Confidentiality and NDA

Agreements
You will also be signing an agreement that guarantees that
the companys information will be treated confidentially.
It will also provide cover for a number of other key areas,

such as negligence and liability in the event of something
untoward
d happening.
h
i
Many documents and other information regarding pen
pentest contain critical information that could damage one or
both parties if improperly disclosed.
EC-Council
Non-Disclosure and Secrecy

Agreements (NDA)
Both parties bear responsibility to protect tools, techniques,
vulnerabilities,
l
biliti and
d iinformation
f
ti from
f
di
disclosure
l
b
beyond
d th
the tterms
specified by a written agreement.
Non-disclosure agreements should be narrowly drawn to protect
sensitive information.
Specific areas to consider include:
Ownership.
Use
U off the
h evaluation
l i reports.
Results; use of the testing methodology in customer
documentation.
EC-Council
The Contract
The penetration testing contract must be drafted by a lawyer and
signed by the penetration tester and the company.
Th contract
The
t t mustt clearly
l l state
t t th
the ffollowing:
ll i
EC-Council
Objective of the penetration test.

S
Sensitive
i i information.
i f
i
Indemnification clause.
Non-disclosure clause.
Fees and project schedule.
schedule
Confidential information.
Reporting and responsibilities.
Sample Penetration Testing

Contract
The client understands that Internet

securityy is a continuallyy growing
g
g and
changing field and that testing by
XSECURITY does not mean that the
clients site is secure from every form
of attack. There is no such thing as
100% security testing,
testing and for example
it is never possible to test for
vulnerabilities in software or systems
that are not known at the time of
testing or the mathematically
complete set of all possible
inputs/outputs for each software
component in use.
EC-Council
Penetration Testing Contract

(cont d)
(contd)
The provider shall be under no liability

whatever to the buyer
y for anyy indirect
loss and/or expense (including loss of
profit) suffered by the buyer arising out
of a breach by the provider of this
contract. In the event of any breach of
this contract by the provider the
remedies of the buyer shall be limited to
a maximum of fees paid by the client.
EC-Council
Penetration Testing Contract

(cont d)
(contd)
The provider and the client have

imparted
p
and mayy from time to time
impart to each other certain confidential
information relating to each others
business including specific
documentation. Each party agrees that
it shall use such confidential
information solely for the purposes of
the service and that it shall not disclose
directly or indirectly to any third party
such information either expressed or
otherwise.
EC-Council
Sample Rules of Engagement

Document
EC-Council
Liability Issues
A companys
company s legal liability can arise as a result of:
(a) Standards and penalties imposed by federal, state, or local
governments.
(b) Breach of contractual agreements.
(c) Other non-contractual civil wrongs (torts) ranging from fraud,
invasion of privacy, and conversion to deceptive trade practices and
negligence.
negligence
Federal and state statutes may impose both criminal penalties as
well as form the basis for private lawsuits.
EC-Council
Negligence Claim
The negligence claim of liability is based in a charge
that the company and its officers and directors
acted negligently.
In law, negligence arises when a party owed a
legal duty to another, that duty is breached, and the
breach causes damages to the injured party:
For example: A company is required to protect the
customer database with reasonable measures.
EC-Council
Ignorance of the law is no excuse, and

failure to keep pace with statutory
requirements
i
is
i a first
fi source off li
liability
bili
EC-Council
Plan for the Worst

If you sense that something will go wrong during pen-test, then
something
thi WILL go wrong.
Nothing can completely prevent your pen

pen-test
test team from liability.
Plan a crisis management and communications strategy.
Lost or compromised information can invite lawsuits and create

liability despite a track record showing your pen-test
pen test team exercised a
reasonable standard of care in trying to protect information.
Avoiding liability involves planning for problems.

problems
EC-Council
Drafting Contracts
The pen-test contract is the most important tool used to define and
regulate the legal relationship between the penetration tester and the
customer.
It protects both parties from
misunderstandings and includes various
agreements, such as:
EC-Council
Scope off test.

S
Performance Standards.
Security and Confidentiality.
Audit Information.
Reporting and Cost.
Ownership and License.
Dispute Resolution and Indemnification.
How Much to Charge?

P
Penetration
i testing
i pricing
i i varies:
i
Pricing will usually be based on the number of man
man-days
days
required to fulfill the scope of the project
Number of client computers to be tested
Number of server computers
p
to be tested
Different price for tests such as social engineering,
competitive intelligence, stealing laptops, physical security
EC-Council
Summary
Penetration testing helps to trace the vulnerabilities and weaknesses existing in our network. It also
enables to identify strengths, weaknesses, threats, and defenses to the network of organization from new
exploits which boom daily.
Penetration rules of behavior is a test agreement that outlines the framework for external and internal
penetration testing.
Get Out of Jail Free Card agreement outlines the types of activities to be performed and indemnifying
the tester against any loss or damage that may result from the testing.
Nondisclosure agreements (NDAs) protect an organizations confidential information during business
dealings with customers, suppliers, employees and the press.
Drafting Contract, Negligence claims are aimed to perform test under mutually agreed environment and
they ensure pen-tests success.
Plan a crisis management and communications strategy. Lost or compromised information can invite
l
lawsuits
it and
d create
t li
liability
bilit d
despite
it a track
t k record
d showing
h i your pen-test
t t team
t
exercised
i d a reasonable
bl
standard of care in trying to protect information.
EC-Council
EC-Council
EC-Council

LPTv4 Module 12 Customers and Legal Agreements

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

LPTv4 Module 12 Customers and Legal Agreements

Caricato da

Copyright:

Formati disponibili

ECSA/LPT

Why do Organizations Need PenTesting?

Initial Stages in Penetration

Both Parties Agree and Sign

Draft Legal Agreement

Create a checklist of testing requirements

Create a Checklist of Testing

Create a Checklist of Testing

Prior to testing, this agreement is signed by representatives

Penetration Testing Risks

Penetration Testing Risks

Penetration Testing by Third

Precautions While Outsourcing

The authorizations must come from senior director of

Get Out of Jail Free Card

Permitted Items in Legal

Confidentiality and NDA

It will also provide cover for a number of other key areas,

Non-Disclosure and Secrecy

Objective of the penetration test.

Sample Penetration Testing

The client understands that Internet

Penetration Testing Contract

The provider shall be under no liability

Penetration Testing Contract

The provider and the client have

Sample Rules of Engagement

Ignorance of the law is no excuse, and

Plan for the Worst

Nothing can completely prevent your pen

Plan a crisis management and communications strategy.

Lost or compromised information can invite lawsuits and create

Avoiding liability involves planning for problems.

Scope off test.

How Much to Charge?

Potrebbero piacerti anche