From: Paul Robertson (compuwar@gmail.com)
Date: Sun Oct 16 2005 - 08:49:36 EDT
Disclaimer: I am not a lawyer and I don't play one on the 'Net.
On 10/15/05, rob havelt <rob@cobal.org> wrote:
> Hi All,
>
> Lately I've been seeing some stuff on the legal end of Penetration
> Testing, and have had some clients ask, and I thought that it would
> be an interesting question to pose to the list.
>
> Mainly I've been seeing articles like this one:
> <http://webmail.intelligentconnections.net/exchange/rhavelt/Inbox/FW:%20Contract%20Question.EML//exchweb/bin/redir.asp?URL=http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?track=NL-358%26ad=530198USCA>http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?track=NL-358&ad=530198USCA
>
>
Frankly, I'm surprised Shawna wrote that without any dissenting
opinion. I've spent some time doing some research on privilege (it
seems to me to be a good shield when doing computer forensics where
generally we're working on evidence for a case or in preparation for a
case.) It doesn't seem to me that pen-testing can be construed as
such except in a very narrow set of cirucmstances. I don't know who
else Shawna talked to for the story, of if her research says something
other than mine, so I'm going to try to drag her into this discussion
via BCC- hopefully if she responds the list moderators will let it
through if she's not subscribed to the list.
> That suggest that a penetration test should be commissioned by, and
> the results delivered to an organization's legal department in such a
> way where the results of the test will be covered by attorney client
> privilege...
Nice thought, however privilege isn't blanket and generally is
extended only to things where (a) they're directly related to legal
advice or litigation and (b) the attorney is acting as counsel *not*
as a corporate officer. In this case, I'd think you'd trip both of
those exceptions rather quickly by running the contract through the
legal department.
"Hey, we need some legal advice on the vulnerability of our network"
seems to be a pretty large stretch to me. Enron would have been
difficult to catch if they'd just gotten more legal advice on their
accounting practices, trading practices and oversight, eh?
For the SDNY's take on this, see:
http://www.torys.com/publications/pdf/CM1996-1N.pdf
If you look at the citations, you'll quickly come to the conclusion
that at least in the 2nd circuit the courts would take a dim view of
such attempts to cover business process with privilege.
> The main crux of the suggestion was to insulate an organization
> against the liability of not implementing all the suggestions and
> recommendations in the report - I.E. if they were sued later the
> results of the penetration test would be available to the plaintiff
> during the discovery process under normal circumstances - the test
> was commissioned by the IT or Risk Management department, but it
> would be privilege info if it were commissioned by legal...
If shielding common business practice by routing it through the legal
department were possible, then *everything* would go through the legal
department. The courts have become increasingly wary of granting
privilige over the years, and such abuse is likely to be summarily
dealt with by the bench.
I wonder if the folks cited in the article have really done any
homework on this, or if they're simply outside counsel looking for
billable hours? Next thing someone will suggest the lawyers actually
*do* the testing.
> Has anyone faced this in their client interactions? Or done this before?
> How does setting that up look exactly?
>
> And does anyone have any thought of the effectiveness of this?
IMO, zero. Privilege is extended to communiations made in confidence
between two parties for the purpose of obtaining or providing legal
assistance to the client- I don't think pen testing meets the bar of
legal assistance. You'd also be hard-pressed to make a 5th ammendment
argument, which is the other potential bar I found in my research.
Now, each state has its own statutes, so there may be a state or two
where the statute provides some wiggle room for shielding, but overall
I think it's disingeneous to think that just having a legal department
do the contracting is going to shield the results from legal discovery
during due process. Judges sign discovery orders, and they're not all
that likely to limit the power of due process without a compelling
reason.
> To me it seems like that would be a very easy way to get an
> unfavorable report buried very quickly so that it ostensibly has no
> visibility in the organization. I've also wondered how the results
> are communicated between say, legal and the IT group or the rest of
> the organization in this case?
>
> Anyway, just something I though was interesting is all...
Frankly, if I were asked about something like this, I'd advise going
after the pen-test company first- if they recommended it, handing out
legal advice might be an issue.
If the client wants to do things that way, I'd suggest revamping your
contracts to plant defense and discovery costs firmly in their court.
Though if you're contracting with legal, expect your pre-sales legal
work to skyrocket, and contract negotiations to be a lot more
difficult, and terms not as favorable. I don't expect lawyers to hold
to generic contracts when they're one of the contracting parties.
Paul
-- www.compuwar.net ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:04 EDT