Over the weekend, my IDS equipment picked up approximately 8,000 vulnerability attacks generated by a network consulting company. No actual compromise occurred. Upon further investigation, I discovered that the attacks were conducted at the request of one of my clients. I do not mind the vulnerabitity assessments, however per the client contract any vulnerability scan must be approved by myself prior to the the scan being conducted. This notification is needed so that security personnel do not enact standard procedures of blocking the originating address block and sending logs to the applicable ISP to have the IP address in question blocked from the Internet.

Now, I realize port scans are legal in the US. But, I am looking for is some legal precedent at the Federal level, that addresses remotely initiated vulnerability/penetration scans without giving the scannee prior notification. So, does anyone have any links to pertinent Federal laws or case law? Ideally I would like generate an article in our newsletter, referencing Federal law, and hopefully preventing the frequency of these type of incidents.