[Editor's Note: Here is a great article by John Strand about a topic that is sometimes difficult for pen testers: interacting with lawyers. But, John engages the topic in his signature fun, quirky, and highly informative way that provides practical insights into how to keep yourself safe and legal when dealing with some sticky issues in penetration testing. Nice work, John! -Ed.]
Ed absolutely loves sharing the various challenges of professional penetration testers. We have had a couple of instances here at BHIS where we have had to walk away from contracts because lawyers have gotten far too involved in some of our contracts. So, just a small bit of background before we delve into the insane antics of various wielders of legal might.
We have had a couple of contracts at BHIS where we had to move to a no bid position, effectively walking away. It is a tough place to find your company. But, as professional penetration testers, we need to be ready to move to this position if necessary.
Just remember, the single greatest negotiation tactic you can employ is being willing to walk away.
1. You can always be sued.
First and foremost, you need to understand one simple rule: you can always be sued. Please, say this to yourself before you go to bed or tattoo it on the forehead of your first born. Our legal overlords tend to like that sort of thing so do whatever it takes to engrain it into everything you do.
You can always be sued. There is nothing you can ever put into a contract to prevent this from happening.
We recently started re-reviewing our indemnification clause. This was necessary because over the last few years we have tweaked it based on requests from various attorneys of our customers. This sounds awesome, right? Having multiple lawyers review your documents is like free legal advice. Yea!
But here is the deal. Have you ever had multiple English majors review a paper? They all have different gripes. They all find different things. And they are all convinced they are absolutely correct. Lawyers are almost exactly like this. They will find little words to change here and there based on whatever instructor they had in law school. And, over time, it will reduce your indemnification clause to tatters.
I often hear students of SEC504 and SEC560 ask how they can keep from being sued. It is almost as if as a society, we somehow think we can put in a magic clause to stop all lawsuits and there is ample evidence that this may be the case. Read through any end-user license from any large company and there are tons of examples of insane clauses that reduce a consumer's rights. But, these companies have something you do not...a harem of attorneys.
However, you can reduce the risk of being sued successfully. This is paramount. Most lawyers will not push to litigate unless there is a good reason for them to believe they will win. Remember, in civil courts, the party with the preponderance of the evidence wins. Having a good indemnification clause and being very careful in your testing activities will help. What does it mean to be careful in your testing?
Glad you asked. First, it is staying in scope. Second, testing your exploits on a lab system before launching an attack. And third, recording the fact you tested your attack.
2. How Lawyers Think About Pen Tests
Let's set the mindset for many attorneys we may be dealing with. First, they tend to be highly critical and detail-oriented. This is generally a very good trait for attorneys. Unfortunately, it is a horrible trait if an attorney has no idea what it is you are doing. This is going to be the case for a high percentage of your contracts.
As we teach in the SANS Security 560 class, there are four documents that make up a solid basis for doing a penetration test. First is the Proposal itself. Second, is the Scope. The Scope details what is going to be tested, what is not to be tested, and, finally, which system/users/services need to be treated with extra special care and love. The Rules of Engagement establish how you are to test. This document will cover points of contact, times, and notification trees for critical findings. The last one, the Permission to Test document, we will cover in a moment.
Why do we break out the Proposal/Contract, Scope and Rules of Engagement? Can't we just put them all in one doc? First, it is possible to do so, but things might get muddy. If you put everything in the contract, it has the possibility of diluting the full impact of each of these documents. Here is the problem. Many attorneys will try to ask questions like the following in the proposal:
- What are you testing?
- What are you not testing?
- What are you doing to protect our systems?
- How will you notify us of critical findings?
See, the above questions are highly important, but not all that necessary in the Proposal. To address this issue up front, put a line in your Proposal that the issues above will be addressed in the Scope and Rules of Engagement and will be handled in separate documents.
We want to clearly point out that these issues are covered in separate documents for two reasons. First, they are addressed in separate documents to bring the focus and clarity to these important issues. Second, many of the items in the Scope and Rules of Engagement are sensitive and should only be shared in the event the contract and NDA is signed. It is far easier to get a contract, sign an NDA, then address the Scope and Rules of Engagement for specific projects. Plus, the overall contract and NDA might apply to multiple different projects, each with their own scope and rules of engagement.
We have found this works with 99% of the lawyers we work with.
3. There will be contract revisions
This is a reality of any contract negations you enter into. It is almost as if people demonstrate their value by marking up other people's documents. We have discovered this need is far stronger in lawyers.
They have to justify their existence in some fashion, just as every other human on the planet. If they simply say every contract is "OK", they will be fired quickly. Understanding this is key. Do not get angry. Do not threaten them. Simply smile, acknowledge their issues and address them. I have seen many consultants complain for hours about some small issues lawyers found in a contract. It is wise to point out to people who get into this type of pity party that if they spent the time complaining about some small requested changes as actually making the changes, the document would be done.
Providing affirmation to the lawyer and their contributions will also help you with not just your current contract negotiations, but also on future contract negotiations. Over the years, we have noticed that giving lawyers warm fuzzies for their changes helps bring them on your side. If you approach the contract negotiation as me vs. the attorney, it will be you vs. the attorney. You will fight. Life will be miserable. There is an old saying my grandpa said about situations like this:
"Sure, you can wrestle with a pig in the mud... but remember, the pig actually enjoys it."
Don't ask me why my grandfather was wrestling pigs in the mud.
Anyway, find a way to get the lawyer on your side. A great approach is calling the attorney, one on one, before any meetings to address their corrections. Do this before you get into a meeting. We have discovered if you give a lawyer a stage in front of others, they will use it. If you can enter the meeting with most issues addressed beforehand, they are on your side. If they attack you, they would be attacking the work they did with you prior to the meeting.
4. They will want to cut your indemnification clause
This is the big one. We recently had a contract where the lawyer wanted to strike our indemnification clause and replace it with one that stated we would be liable for all damages.
Yea-ouch!!! That should never happen. Ever.
In fact, this contract is the reason for this article. I called Ed about it to complain. And he asked if I could do a write up on it. See, this article is therapy. It is part of my path towards acceptance.
Why would an attorney want to strike an indemnification clause? Because they are doing their job. Their job is protecting their customer. And having a contract where a company is doing potentially damaging things is completely anathema to how things normally work. It is going to take some time and effort on your part to train them on what you do. This does not mean you should be condescending and talk down to them. It means you should do your absolute best to let the lawyer, and sometimes the customer know what a penetration test actually is.
Ed has a great quote on this: "If a penetration tester promises they will not crash a system, it means they are lying to you, or they are not planning on sending any packets to your network."
However, there are times where a lawyer will not budge on the indemnification clause in the Permission to Test which brings us to...
5. Know when to walk away
Look, lawyers are awesome. We love ours at BHIS. However, they do not run our company. We have found some companies are effectively run by their lawyers. After all, a lawyer can wield a tremendous amount of power because so few people know what they are doing.
If you find yourself at odds with an attorney, and there is no one else to talk to, you have run into a company that is run by their lawyers. Lawyers are there to advise. They should never be making final decisions. If they want you to strike the indemnification clause in the Permission to Test, it is time to walk away.
There may also be some very broad language you may run into which is unrelated to indemnification, but can be equally dangerous to your company. A contract I am working on tonight has the following gem in it.
"Company also reserves to rights to all intellectual property created by consultant related and unrelated to this contract in perpetuity."
Yea, like you are going to hand over any and all intellectual property to your customer till the end of time. We have found clauses like the one above lurking in more contracts than we care to remember.
We are becoming an industry that is growing more and more restricted by laws and regulation. There is not a whole lot we can do, other than become more versed and familiar with how to interact with lawyers.