homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Five Things Every Pen Tester Should Know About Working with Lawyers
370x370_John-Strand.jpg
John Strand

Five Things Every Pen Tester Should Know About Working with Lawyers

June 4, 2014

[Editor's Note: Here is a great article by John Strand about a topic that is sometimes difficult for pen testers: interacting with lawyers. But, John engages the topic in his signature fun, quirky, and highly informative way that provides practical insights into how to keep yourself safe and legal when dealing with some sticky issues in penetration testing. Nice work, John! -Ed.]

Ed absolutely loves sharing the various challenges of professional penetration testers. We have had a couple of instances here at BHIS where we have had to walk away from contracts because lawyers have gotten far too involved in some of our contracts. So, just a small bit of background before we delve into the insane antics of various wielders of legal might.

We have had a couple of contracts at BHIS where we had to move to a no bid position, effectively walking away. It is a tough place to find your company. But, as professional penetration testers, we need to be ready to move to this position if necessary.

Just remember, the single greatest negotiation tactic you can employ is being willing to walk away.

1. You can always be sued.

First and foremost, you need to understand one simple rule: you can always be sued. Please, say this to yourself before you go to bed or tattoo it on the forehead of your first born. Our legal overlords tend to like that sort of thing so do whatever it takes to engrain it into everything you do.

You can always be sued. There is nothing you can ever put into a contract to prevent this from happening.

Sued
Who has thumbs and loves lawsuits? This guy!

We recently started re-reviewing our indemnification clause. This was necessary because over the last few years we have tweaked it based on requests from various attorneys of our customers. This sounds awesome, right? Having multiple lawyers review your documents is like free legal advice. Yea!

But here is the deal. Have you ever had multiple English majors review a paper? They all have different gripes. They all find different things. And they are all convinced they are absolutely correct. Lawyers are almost exactly like this. They will find little words to change here and there based on whatever instructor they had in law school. And, over time, it will reduce your indemnification clause to tatters.

I often hear students of SEC504 and SEC560 ask how they can keep from being sued. It is almost as if as a society, we somehow think we can put in a magic clause to stop all lawsuits and there is ample evidence that this may be the case. Read through any end-user license from any large company and there are tons of examples of insane clauses that reduce a consumer's rights. But, these companies have something you do not...a harem of attorneys.

cat
Not a single comment I could come up with was family friendly...so here is a picture of a cat thinking. -John Strand

However, you can reduce the risk of being sued successfully. This is paramount. Most lawyers will not push to litigate unless there is a good reason for them to believe they will win. Remember, in civil courts, the party with the preponderance of the evidence wins. Having a good indemnification clause and being very careful in your testing activities will help. What does it mean to be careful in your testing?

Glad you asked. First, it is staying in scope. Second, testing your exploits on a lab system before launching an attack. And third, recording the fact you tested your attack.

2. How Lawyers Think About Pen Tests

Let's set the mindset for many attorneys we may be dealing with. First, they tend to be highly critical and detail-oriented. This is generally a very good trait for attorneys. Unfortunately, it is a horrible trait if an attorney has no idea what it is you are doing. This is going to be the case for a high percentage of your contracts.

As we teach in the SANS Security 560 class, there are four documents that make up a solid basis for doing a penetration test. First is the Proposal itself. Second, is the Scope. The Scope details what is going to be tested, what is not to be tested, and, finally, which system/users/services need to be treated with extra special care and love. The Rules of Engagement establish how you are to test. This document will cover points of contact, times, and notification trees for critical findings. The last one, the Permission to Test document, we will cover in a moment.

Why do we break out the Proposal/Contract, Scope and Rules of Engagement? Can't we just put them all in one doc? First, it is possible to do so, but things might get muddy. If you put everything in the contract, it has the possibility of diluting the full impact of each of these documents. Here is the problem. Many attorneys will try to ask questions like the following in the proposal:

  • What are you testing?
  • What are you not testing?
  • What are you doing to protect our systems?
  • How will you notify us of critical findings?

See, the above questions are highly important, but not all that necessary in the Proposal. To address this issue up front, put a line in your Proposal that the issues above will be addressed in the Scope and Rules of Engagement and will be handled in separate documents.

We want to clearly point out that these issues are covered in separate documents for two reasons. First, they are addressed in separate documents to bring the focus and clarity to these important issues. Second, many of the items in the Scope and Rules of Engagement are sensitive and should only be shared in the event the contract and NDA is signed. It is far easier to get a contract, sign an NDA, then address the Scope and Rules of Engagement for specific projects. Plus, the overall contract and NDA might apply to multiple different projects, each with their own scope and rules of engagement.

We have found this works with 99% of the lawyers we work with.

Harvard
The other 1% got their degrees from Harvard

3. There will be contract revisions

This is a reality of any contract negations you enter into. It is almost as if people demonstrate their value by marking up other people's documents. We have discovered this need is far stronger in lawyers.

They have to justify their existence in some fashion, just as every other human on the planet. If they simply say every contract is "OK", they will be fired quickly. Understanding this is key. Do not get angry. Do not threaten them. Simply smile, acknowledge their issues and address them. I have seen many consultants complain for hours about some small issues lawyers found in a contract. It is wise to point out to people who get into this type of pity party that if they spent the time complaining about some small requested changes as actually making the changes, the document would be done.

happy_fun_ball
In short... treat them like Happy Fun Ball

Providing affirmation to the lawyer and their contributions will also help you with not just your current contract negotiations, but also on future contract negotiations. Over the years, we have noticed that giving lawyers warm fuzzies for their changes helps bring them on your side. If you approach the contract negotiation as me vs. the attorney, it will be you vs. the attorney. You will fight. Life will be miserable. There is an old saying my grandpa said about situations like this:

"Sure, you can wrestle with a pig in the mud... but remember, the pig actually enjoys it."

Don't ask me why my grandfather was wrestling pigs in the mud.

pigs
What lawyers wrestling with pigs might look like

Anyway, find a way to get the lawyer on your side. A great approach is calling the attorney, one on one, before any meetings to address their corrections. Do this before you get into a meeting. We have discovered if you give a lawyer a stage in front of others, they will use it. If you can enter the meeting with most issues addressed beforehand, they are on your side. If they attack you, they would be attacking the work they did with you prior to the meeting.

4. They will want to cut your indemnification clause

This is the big one. We recently had a contract where the lawyer wanted to strike our indemnification clause and replace it with one that stated we would be liable for all damages.

Yea-ouch!!! That should never happen. Ever.

In fact, this contract is the reason for this article. I called Ed about it to complain. And he asked if I could do a write up on it. See, this article is therapy. It is part of my path towards acceptance.

Why would an attorney want to strike an indemnification clause? Because they are doing their job. Their job is protecting their customer. And having a contract where a company is doing potentially damaging things is completely anathema to how things normally work. It is going to take some time and effort on your part to train them on what you do. This does not mean you should be condescending and talk down to them. It means you should do your absolute best to let the lawyer, and sometimes the customer know what a penetration test actually is.

Ed has a great quote on this: "If a penetration tester promises they will not crash a system, it means they are lying to you, or they are not planning on sending any packets to your network."

However, there are times where a lawyer will not budge on the indemnification clause in the Permission to Test which brings us to...

5. Know when to walk away

Look, lawyers are awesome. We love ours at BHIS. However, they do not run our company. We have found some companies are effectively run by their lawyers. After all, a lawyer can wield a tremendous amount of power because so few people know what they are doing.

If you find yourself at odds with an attorney, and there is no one else to talk to, you have run into a company that is run by their lawyers. Lawyers are there to advise. They should never be making final decisions. If they want you to strike the indemnification clause in the Permission to Test, it is time to walk away.

There may also be some very broad language you may run into which is unrelated to indemnification, but can be equally dangerous to your company. A contract I am working on tonight has the following gem in it.

"Company also reserves to rights to all intellectual property created by consultant related and unrelated to this contract in perpetuity."

Yea, like you are going to hand over any and all intellectual property to your customer till the end of time. We have found clauses like the one above lurking in more contracts than we care to remember.

We are becoming an industry that is growing more and more restricted by laws and regulation. There is not a whole lot we can do, other than become more versed and familiar with how to interact with lawyers.

-John Strand
Follow @strandjs

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Penetration Testing and Red Teaming

Related Content

Blog
N2C_Blog_Image.png
Penetration Testing and Red Teaming, Cyber Defense, Cybersecurity and IT Essentials, Open-Source Intelligence (OSINT), Red Team Operations, Incident Response & Threat Hunting, Operating System & Device In-Depth, Community, Digital Forensics and Incident Response, Job Hunting, Mentorship, NetWars, Imposter Syndrome, Offensive Operations
March 14, 2023
A Visual Summary of SANS New2Cyber Summit 2023
Check out these graphic recordings created in real-time throughout the event for SANS New2Cyber Summit 2023
370x370-person-placeholder.png
Alison Kim
read more
Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Red Teaming, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
370x370-person-placeholder.png
Emily Blades
read more
Blog
Penetration Testing and Red Teaming
January 17, 2018
SANS Poster - White Board of Awesome Command Line Kung Fu (PDF Download)
Imagine you are sitting at your desk and come across a great command line tip that will assist you in your career as an information security professional, so you jot the tip down on a note, post-it, or scrap sheet of paper and tape it to your white board... now imagine you do this all the time...
SANS Pen Test
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn