I have two years' worth of experience with penetration testing and vulnerability assessments for a company doing just that until it went of business, and I fully concur with Mr. Rash's advice: CYA!

There are several solid business reasons why:

(1) Doing unauthorized scans of systems makes as much business sense for a security professional as killing for free does for a hitman or offering sex for free does for a prostitute: services are provided for paying customers only! Why should you give away something that you want to be paid for?

(2) getting the permission of EVERYBODY involved from the customer to the customer's ISP to one's own ISP is critical to the customer's understanding that the business is legitimate. The dividing line between crackers and a legitimate security professionals is that the legitimate security professionals in question do make sure to get all appropriate permissions from all relevant parties - and proactively, please!

(3) I can't think of why reason why legitimate security professionals shouls trumpet their customers' systems' vulnerabilities. The security business is built on trust, and there can't be any trust if the customers cannot have an expectation of full confidentiality.

(4) The Federal, State and local laws in place create a very dangerous context for benevolenr cracking as a volunteer activity. My unsentimental attitude is to let those who don't secure their systems fend for themselves - They are adults and they should not be denied the opportunity to pay for their own shortcomings. After all, we let speeding drunk drivers wrap their vehicles around poles every day.

Getting dragged into court by wild horses for whatever reason is at best a reaffirmation of the maxim that no good deed remains unpunished, and at worst creates a perception on the part of potential customers that you have some issues regarding business judgment and general maturity.

(5) Make all agreements with customers in writing - You don't want to get into a situation where you and the customer agreed to do something verbally, and he turns on you and denies everything including his date of birth and country of citizenship when things go wrong.

(6) Log everything you do, so that you can prove you did not have anything to do with this or that server crash when accusations start to fly.

In conclusion, CYA is a self-service job. If you implicitly trust anyone else to take care of you and do the CYA for you, then you should not be in this business: you would be a danger to your employer, your colleagues and yourself!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/167/20481#20481