Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
EC Council
EC-Council
Module XII
Customers and Legal
Agreements
Module Objective
This module will deal with various legal agreements of
penetration testing.
It also
l d
defines
f
the
h need
d ffor penetration testing, stages
of penetration testing, and the customer requirements.
It also focus on rules of behavior and risks associated
with penetration testing.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Why do Organizations
Need Pen-Testing?
Initial Stages in
Penetration Testing
Create a Checklist of
Testing Requirements
Confidentiality and
NDA Agreements
Penetration Testing
by Third Parties
Penetration Testing
Rules of Behavior
Penetration Testing
Contract
Liability Issues
EC-Council
Drafting Contracts
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Checklist of
Pen-Test Services
that will be Provided
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Understand Customer
Requirements
Identify what needs to be tested:
Servers
Workstations
Routers
Firewalls
Networking devices
Cabling
Databases
A li ti
Applications
Physical security
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing
Rules
Rules of Behavior
Behavior
Penetration rules of behavior is a test agreement that
outlines the framework for external and internal penetration
testing.
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Client databases.
databases
Proprietary codes.
Documentation.
I t ll t l property.
Intellectual
t
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ensure that the service provider does not leave any vulnerabilities.
Check that the service provider does not pass any information to the
targets.
Assure that the service provider is skilled to perform the test and reports
the
h fl
flaws to the
h management in a non-technical
h
l way.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Legal Consequences
Proper permission in writing must be obtained before
the test starts:
A request from a company employee to perform penetration test
is not a valid request.
If that person does not have the authorization and things go
wrong then be prepared to pay huge legal fees for damages.
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Contract
The penetration testing contract must be drafted by a lawyer and
signed by the penetration tester and the company.
Th contract
The
t t mustt clearly
l l state
t t th
the ffollowing:
ll i
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Liability Issues
A companys
company s legal liability can arise as a result of:
(a) Standards and penalties imposed by federal, state, or local
governments.
(b) Breach of contractual agreements.
(c) Other non-contractual civil wrongs (torts) ranging from fraud,
invasion of privacy, and conversion to deceptive trade practices and
negligence.
negligence
Federal and state statutes may impose both criminal penalties as
well as form the basis for private lawsuits.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Negligence Claim
The negligence claim of liability is based in a charge
that the company and its officers and directors
acted negligently.
In law, negligence arises when a party owed a
legal duty to another, that duty is breached, and the
breach causes damages to the injured party:
For example: A company is required to protect the
customer database with reasonable measures.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Drafting Contracts
The pen-test contract is the most important tool used to define and
regulate the legal relationship between the penetration tester and the
customer.
It protects both parties from
misunderstandings and includes various
agreements, such as:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Penetration testing helps to trace the vulnerabilities and weaknesses existing in our network. It also
enables to identify strengths, weaknesses, threats, and defenses to the network of organization from new
exploits which boom daily.
Penetration rules of behavior is a test agreement that outlines the framework for external and internal
penetration testing.
Get Out of Jail Free Card agreement outlines the types of activities to be performed and indemnifying
the tester against any loss or damage that may result from the testing.
Nondisclosure agreements (NDAs) protect an organizations confidential information during business
dealings with customers, suppliers, employees and the press.
Drafting Contract, Negligence claims are aimed to perform test under mutually agreed environment and
they ensure pen-tests success.
Plan a crisis management and communications strategy. Lost or compromised information can invite
l
lawsuits
it and
d create
t li
liability
bilit d
despite
it a track
t k record
d showing
h i your pen-test
t t team
t
exercised
i d a reasonable
bl
standard of care in trying to protect information.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited