For those of you who are security folks for companies, you better have explicit permission that gives you the authorization to hack your company (see example below). If you don't, you could easily end up in jail, even when you are doing your job solely on behalf of the company. {All it takes is for you to piss someone off and they'll go after you.} Several well-meaning folks have gone to jail for this very reason.

I would suggest that you approach the CIO and get him to sign something similar below (best to mention it in person and tell them you'll send them a document). It's better to have your CEO's approval, but that depends on the company (ask your CIO for advice). I'd suggest getting both.

If you don't have a CIO, go to the highest IT manager in the company. But make sure that person has authority over ALL the stuff you're going to hack. My company has more than 1 division, so I got the corporate CIO to sign mine.

I would make several copies, store one in your daily planner that you carry around (very helpful when you're "caught" using PCs out on the floor), one in your files at work, one at home, and keep the original in a safety deposit box. I'd also send the document as email text (not an attachment) so that it's stored there (and backed up) and has a date on it, as well as the big cheese's name. Just print it out and sign (I would not accept an email approval, as they could argue later that they didn't send the email and that you engineering the whole thing). Best to get an email reply and then have them sign it.

The smaller the company, the higher up you should seek the approval.

As usual, I'd be interested in your comments and anything you think I left out, overdid, underdid, and katydid.

---------------------------------------------
Suggested text in blue; comments in black.

I would like your explicit approval to download, store, and use security evaluation and hacking tools and methods in the <company> wired and wireless enterprise networks and facilities to test and ensure the security, monitoring, and incident response of employees, users, facilities*, and the network, hosts, applications, and services.

[* "facilities" includes getting into rooms and playing with any device you can reach, including stealing keys, vehicles, and things like disabling camera, etc. You may want to be more specific. Don't include this note in your agreement...]

These tools and methods include, but will not be limited to: firewalls, antivirus programs, port scanning, sniffers, password crackers, OS and application ID mappers, dumpster diving, impersonation, social engineering, root compromise, vulnerability scanning and compromise, and manual attacks such as password guessing and use of unsecured hosts, devices, applications, and services.

These tools and methods will always be used to test and improve the security of <company> and never for personal gain; all test, vulnerability, and hacking activities will be logged** for audit purposes and in case any questions arise as to whether an event could have been linked to these activities. All vulnerabilities found will be disclosed and only to the appropriate IT management and staff as needed to resolve the issue and track progress on improving the <company> security architecture.

[** in addition to preventing you from getting blamed for downtime that you don't cause (how can they argue, you have a log), this also allows you to prepare rollup reports on the state of your security (or insecurity, which you can use to request additional funding). But if you do cause downtime, admit it, apologize, and BE MORE CAREFUL, YOU KNUCKLEHEAD. Furthermore, logging helps me track how long it takes admins to find the accounts I created for myself: so far, the longest has been 5 months ]

I will carefully select and test all tools and methods on test machines (where possible) to avoid any disruption of service. In cases where my activities may cause a measurable risk to the targeted device, application, service, or its users, I will notify the IT unit responsible for the target in advance and work within their parameters when possible***. However, for the most part, these tools and methods will be used without advance warning since they usually do not impact the target other than consume a few CPU cycles and generate log entries.

{ *** I've only done this once in the past 2 years. If you're REAL careful, you should seldom have to do it. But you can't test everything, so go after test/development boxes first. Sometimes there is not test/dev box...Even if you mess up, they will respect you if you admit it (don't wait for them to catch you, but be upfront and notify THEM). In over 5 years of hacking at work, I've only caused one issue: locked out an account. Besides, when you tell them what happened, that prevents them from getting yelled at by the business users and let's them know you're watching and attacking, so they better do their jobs.]

In addition, please approve the securing and updating of my laptop and all my machines (collectively, "PCs") beyond standard <company> requirements and the removal of all administrative authority anyone else has to my PCs due to the sensitive nature of the data that I will capture and the tools that I will employ. At the same time, I will make my PCs available to any <company> support staff or IT management immediately upon request to facilitate the updating, license monitoring, or review of my PCs and activities.****

[**** This is only fair and gives the bigwigs and your IT admins/support folks (especially) some comfort. It also keeps YOU honest. This clause alone has helped calm many arguments and issues. And all the times that I've offerred support folks the opportunity to review my PCs without me there (I'll log in as myself and walk away), they've never taken me up on it.]

I will encrypt all sensitive data on all PCs that travel outside the company perimeter.

Please let me know whether you have any other parameters that I need to adhere to or any off-limit targets, and whether I need to notify anyone else of my intentions.

This agreement will remain in effect until written notice is provided to me by the <company CIO or whomever approves this>.

<your name & title & date>

<signature(s) of bigwigs>

-------------------------------------
p.s. In the past 2 years, I have had to tell others that I have such authority about 10 times, but have never yet had to produce the document for review. Generally, I don't tell folks about it (then they sneer: why are you above the rules?) unless my activities become an issue. However, I do follow and honor all company standards when I can; this sometimes makes my work a little bit slower and harder, but it's worth all the comfort it gives the IT support staff (hey, this gal DOES try to follow the rules; she's one of us!)

One other tip: If you have key people (admins, workstation mgr, help desk mgr, etc.) in your organization that you depend on, make sure you reward them occasionally with gifts, free tickets, invites to cool events, and freebies that you get (some of this comes out of my own pocket, but it comes back to me many times over).

Fantastic! I think I'll modify this a bit and get my current boss to sign it.

One thing: "I'll log in as myself and walk away"

I don't think I ever could do that, any non-repudiation is out the window allong with the fact that it violates most security policies. I would give them admin (or root in my case) access for however long they like so they can analyze the system, but I would never allow them to be logged in as me.

--P>G>>

To add, since many people here are black/semi-black hat.

Don't give in to temptation. Don't try something smart. Don't play power games. Don't keep secrets that you don't need to use as part of your job. You're a security auditor, do your job. The company is yours, the responsibility to protect it is yours.

Mess that one up and sooner or later the dirty secrets or unauthorized privileges you have somewhere will come back and bite you...real hard!


In other words, think like a blackhat while doing the active part of the audit (ensuring of course that you have adequate leeway - as seen in the above authorization request). When its time to analyse the data collected and do the needful with it - go whitehat.

Excellent point, packet. I'll do the same.

nice one... is there some more examples like this? like a standard one or an RFP type if ur in the consultation scene? i guess theres a lot of consultants here...

I would change "hacking tools" to "security assesment tools" or wording to that effect. Using the word "hack" would probably scare many companies/people in positions of authority not to sign. plus, when you call it "security assesment" it sounds like your goal is business, and not personal. Who wouldnt sign something that allows you to protect the companies network? And to be honest, I would avoid using any tense of the word "hack" unless you use it as a scare tactic to get them to sign... Such as "my goal is to prevent breaches of network securty by hackers and crackers who could potentially cause millions of dollars in lost revenue" ...etc. I would also change "password crackers" to "password recovery"... again, making it sound like you are in a position to help the company.

I am sure there is more I would change but those are the only 2 I want to comment on right now


-exp0sed

Keep 'em coming, expOsed. I like the last few posts you did. I'll have to go back and peek at your earlier stuff too....



Now that I buttered you up, here comes the axe.

Seriously, your points are well taken. The reason I used the terms "hacking" and "crackers" and such is because I do use "hack/crack" tools which some would not view as "security assessment" tools, such as trojans, keyloggers, and viruses, to name some of the more agressive ones.

If you say "security assessment" and are "caught" using "hacking" tools, you might end up on the wrong side of the jail cell.

I insist on using whatever the attackers use; otherwise, I'm at a disadvantage, and so is my company. Having said that, there's some stuff I stay away from, simply because it can't be trusted, I don't fully understand what it does, and I don't want to crash systems. (Besides, it's much more fun to demonstrate a problem when no one has seen you come and go previously and had no idea you were poking.)

Let me know what else you think.....

And for the rest of you....challenging a viewpoint or sharing an alternate view only helps to enhance the original material and the inner thoughts the author had when the info was originated. If you do it respectfully, that is.

Cheers!