|
-
August 2nd, 2004, 04:42 PM
#1
Legality of Remote Vulnerability Scans?
Over the weekend, my IDS equipment picked up approximately 8,000 vulnerability attacks generated by a network consulting company. No actual compromise occurred.  Upon further investigation, I discovered that the attacks were conducted at the request of one of my clients. I do not mind the vulnerabitity assessments, however per the client contract any vulnerability scan must be approved by myself prior to the the scan being conducted. This notification is needed so that security personnel do not enact standard procedures of blocking the originating address block and sending logs to the applicable ISP to have the IP address in question blocked from the Internet.
Now, I realize port scans are legal in the US. But, I am looking for is some legal precedent at the Federal level, that addresses remotely initiated vulnerability/penetration scans without giving the scannee prior notification. So, does anyone have any links to pertinent Federal laws or case law? Ideally I would like generate an article in our newsletter, referencing Federal law, and hopefully preventing the frequency of these type of incidents.
The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!
-
August 2nd, 2004, 04:47 PM
#2
To be honest I am not sure that you will find much on this, the Federal Gvt. is trying to stay as nuetral on this as possible, pretty much to say that they don't want to say that this is legal and this isn't. Which is one of the reasons that the Supreme Court had to make the decision on Port Scanning which is sweet. Cause I can now scan the FBI, and laugh when they call my ISP. mwuahhaha
If you do find anything though let me know, I would be interested in seeing it.
(As a side note check state law for whichever state your in, states tend to deal with security issues more. Atleast in my reading they have.
-
August 2nd, 2004, 04:59 PM
#3
I think that even on USA you can go against them if scan causes damage on your network, such as Server Instability or WAN overload...
But for lazzy scans.... i dont think you can do anything
Meu sÃtio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 2nd, 2004, 05:03 PM
#4
You will not find Federal case law unless a tangable loss is associated with the act. It then becomes a crime of a different nature...
You will have to address the issue with your current security policy. Put teeth in there that gives your organization the power to terminate contracts if a contractor violates the policy. Be sure that you have your legal dept review the policy and be sure that it provides the appropriate verbage and bindings to make it enforceable.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 2nd, 2004, 05:17 PM
#5
Good Ideas fellas.
I can't restrict to one state because I have clients throughout the U.S. And no damage was done to the systems, just a major annoyance. If any information was stolen I believe that can be construed as theft and since the data would cross state lines then the issue falls into the realm of interstate traffic/theft. (bank stuff) I want to put some fear into their brains before it becomes a serious issue.
Oh well, if I find anything I'll let you guys know.
The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!
-
August 2nd, 2004, 05:48 PM
#6
If you have a contract with the person who initiated the scan that states that they have to let you know first then they have breached that contract. Your contract should state what will happen if they violate any of the terms agreed to in the contract. Best advice is to contact a lawyer, or fire the customer.
-
August 2nd, 2004, 06:08 PM
#7
Here is a Security Focus article on a 2000 ruling:
http://www.securityfocus.com/news/126
You may still be able to get them on the breach of contract.
-
August 2nd, 2004, 11:43 PM
#8
One of your terms & conditions should be that a client of yours notifies you if their equipment is likely to be involved in any penetration testing (either way), preferably in writing and with a certain amount of notice, so that you can take this into account in your IDS log monitoring (possibly including disabling IDS for certain addresses over the time period)
They should also make sure that any pen testing going is is happening with the knowledge and consent of all systems admins, and that they all have contact no.s for the others (i.e. sysadmins, network admins and pen testers) so that should any unintentional DoS occur, it can be rectified as quickly as possible.
Pen testers might run exploits but it is never their intention to cause DoS, accidental or deliberate.
I realise this is not a legal thing and you can't from a business perspective enforce it rigidly, but it should be at least a strong recommendation to your clients. It makes sense, after all.
Slarty
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
