• No results found

Ethical Hacking Agreement for External Network Security Unannounced Penetration Test

N/A
N/A
Protected

Academic year: 2021

Share "Ethical Hacking Agreement for External Network Security Unannounced Penetration Test"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

Ethical Hacking Agreement for External Network Security – Unannounced Penetration Test

Agreement made on the __________________(date), between

_______________________(Name of Consultant) of _________________________ _______________________________________________ (street address, city, state, zip code), referred to herein as Consultant, and __________________________ (Name of Company), a Company organized and existing under the laws of the state of __________________, with its principal office located at ________________________ ________________________________________________ (street address, city, state, zip code), referred to herein as Company.

Whereas, Consultant is in the computer security business performing unannounced penetration tests to test the security systems of companies; and

Whereas, Company is in the business of ______________________ (type of business), and in the conduct of such business desires to contract for the services of Consultant; and

Whereas, Consultant agrees to perform these services for Company under the terms and conditions set forth in this Agreement.

1. Services to be Performed and Price. The Consultant agrees to perform services in accordance with the attached Appendix A for $ _____________, per hour, payable as follows: (terms of payment) ____________________________________. As a part of Consultant's services, Consultant shall suggest to employees of the

Company, selected by the Company, his findings concerning the security of Company’s computer system and make suggestions on how to improve said security.

2. Place of Performance of Agreement

It is understood that Consultant's services will be rendered principally at

______________________________________________________________________ (street address, city, state, zip code), but Consultant will, on request, come to the such other places as designated by the Company, to meet with representatives of the Company.

3. Hours of Work

In the performance of the services, the services and the hours Consultant is to work on any given day will be entirely within Consultant's control and

Company will rely upon Consultant to put in such number of hours as is reasonably necessary to fulfill the spirit and purpose of this Agreement. This arrangement will probably take about _________________ (length of time). 4. Status of Consultant

(2)

This Agreement calls for the performance of the services of Consultant as an independent contractor and Consultant will not be considered an employee of the Company for any purpose.

5. Subcontracts. Contractor will not subcontract parts or the whole of this contract without obtaining the Company’s consent. If a subcontractor is permitted to execute part or all of this Agreement, the Contractor will continue to he held responsible for all provisions of the Agreement.

6. No Waiver

The failure of either party to this Agreement to insist upon the performance of any of the terms and conditions of this Agreement, or the waiver of any breach of any of the terms and conditions of this Agreement, shall not be construed as subsequently waiving any such terms and conditions, but the same shall continue and remain in full force and effect as if no such forbearance or waiver had occurred.

7. Governing Law

This Agreement shall be governed by, construed, and enforced in accordance with the laws of the State of _______________.

8. Notices

Any notice provided for or concerning this Agreement shall be in writing and shall be deemed sufficiently given when sent by certified or registered mail if sent to the respective address of each party as set forth at the beginning of this Agreement. 9. Attorney’s Fees

In the event that any lawsuit is filed in relation to this Agreement, the

unsuccessful party in the action shall pay to the successful party, in addition to all the sums that either party may be called on to pay, a reasonable sum for the successful party's attorney fees.

10. Mandatory Arbitration

Any dispute under this Agreement shall be required to be resolved by binding arbitration of the parties hereto. If the parties cannot agree on an arbitrator, each party shall select one arbitrator and both arbitrators shall then select a third. The third

arbitrator so selected shall arbitrate said dispute. The arbitration shall be governed by the rules of the American Arbitration Association then in force and effect.

11. Entire Agreement

This Agreement shall constitute the entire agreement between the parties and any prior understanding or representation of any kind preceding the date of this Agreement shall not be binding upon either party except to the extent incorporated in this Agreement.

(3)

Any modification of this Agreement or additional obligation assumed by either party in connection with this Agreement shall be binding only if placed in writing and signed by each party or an authorized representative of each party.

13. Assignment of Rights

The rights of each party under this Agreement are personal to that party and may not be assigned or transferred to any other person, firm, corporation, or other entity without the prior, express, and written consent of the other party.

14. In this Agreement, any reference to a party includes that party's heirs, executors, administrators, successors and assigns, singular includes plural and masculine includes feminine.

WITNESS our signatures as of the day and date first above stated. ____________________________ (Name of Company)

________________________ By:________________________________ (Printed name) ____________________________

________________________ (Printed name & Office in Corporation) (Signature of Consultant) ____________________________

(Signature of Officer) APPENDIX A

Facilities: _____________________________________

Objective: To provide an assessment of the external security profile of the networked computer systems (the Systems) of the Company and intrusion detection capabilities. Scenario: Testing will consist of four phases, during which various tools and techniques will be used to gain information and identify vulnerabilities associated with the Systems and subsequent attempts to penetrate the network. These phases, discussed in detail below are: network mapping; vulnerability identification; exploitation; and reporting. Network Mapping: Consultant will obtain much of the required information regarding the Systems’ network profile, such as IP address ranges, telephone number ranges, and other general network topology through public information sources, such as Internet registration services, web pages, and telephone directories. More detailed information about the site’s network architecture will be obtained through the use of domain name server (DNS) queries, ping sweeps, port scans, and connection route tracing. Informal inquiries, not linked to Independent Oversight, may also be attempted to gather

(4)

resources. Once this general network information is compiled and analyzed, Consultant will begin identification of individual system vulnerabilities.

Vulnerability Identification

During this phase, Consultant will attempt to associate operating systems and applications with identified computers on the network. Depending upon System’s architecture, this may be accomplished using automated tools, such as nmap and queso, or using manual techniques, such as telnet, ftp, or sendmail login banners. Using this information, Consultant will create a list of probable vulnerabilities associated with each potential target system. Also, at this point, automated scripts will be

developed or compiled to attempt exploitation of vulnerabilities. Exploitation

During this phase, system and user information will be used to attack the

authentication processes of the target systems. Example attack scenarios in this phase include, but are not limited to: buffer overflows, application or system configuration problems, modems, routing issues, DNS attacks, address spoofing, share access and exploitation of inherent system trust relationships. Potential vulnerabilities will be systematically tested in the order of penetration and detection probability as determined by the members of the Consultant’s

penetration testing team. The strength of captured password files will be tested using password-cracking tools. Individual user account passwords may also be tested using dictionary-based, automated login scripts. In the event that an

account is compromised, Consultant will attempt to elevate privileges to that of super user, root, or administrator level.

Since the goal of Consultant’s testing is to determine the extent of vulnerabilities, and not simply penetrate a single site system, information discovered on one system may be used to gain access to additional systems that may be "trusted" by the compromised system. Additionally, host-level vulnerabilities may be exploited to elevate privileges within the compromised system to install "sniffers" or other utilities. Consultant will insert a small text file at the highest level directory of each compromised system. In those cases where Consultant is unable to gain sufficient privilege to write to the system, a file will be copied from the system. In either case, additional files may be copied during testing if further review is required to determine sensitivity of information contained on the System.

Consultant will maintain detailed records of all attempts to exploit vulnerabilities and activities conducted during the attack phase.

Reporting

Consultant will provide an on-site briefing of results. These results will also be documented in a management level report provided to Company that will cover the unannounced penetration testing. Specific details on vulnerabilities will also be provided to site technical personnel.

(5)

Special Considerations:

Consultant will coordinate testing activities with a "trusted agent" in each department listed on the performance test agreement as appropriate. Company should identify an individual to be designated as a trusted agent in each department. All personnel who are informed of the testing will maintain strict confidentiality to ensure the validity of test results.

Company will coordinate with trusted agents for each department to identify critical systems that should be excluded from testing activities (e.g., safety systems, major applications undergoing upgrades or other special evolutions). Specific network

addresses and reasons for exclusion should be provided as an attachment to the signed performance test. Company will also identify any systems or network nodes that are connected to the Company’s network, but are not under the direct control and responsibility of the Company. These systems will be excluded from testing unless Consultant obtains permission from the system owner.

Consultant will provide the DOE Computer Incident Advisory Capability (CIAC) with information regarding the systems used for scanning and testing activities to ensure that testing activities are not confused with real attacks.

While Consultant will not attempt to exploit "denial of service" vulnerabilities (unless specifically requested by the Company) and every attempt will be made to prevent damage to any information system and the data it holds, some penetration attempt scenarios have the possibility of causing service interruption. In the unlikely event that such an event occurs, Consultant will work with the trusted agents at the site to

determine the nature of the problem and restore the system to its desired state of operation.

All information obtained by Consultant will be protected (to the extent possible) from unauthorized access.

In the event that any site personnel (excluding trusted agents) identify Consultant testing activities, site computer security personnel should document the detection of activity and take initial actions that would be taken in the case of a real intrusion,

including informing the CIAC. If notified by the site of incidents that correspond with the penetration testing, CIAC and the site’s trusted agents will inform the appropriate site computer security personnel that the activity identified is part of an authorized DOE test. In these cases, logs or other evidence of intrusion detection activities should be provided to Independent Oversight for analysis. Consultant’s testing will then be allowed to continue as an announced external network security assessment without

blocking, filtering, or restricting access.

It is the Company’s responsibility to restore network computer systems to a

secure configuration after Consultant’s testing. Independent Oversight will coordinate with and provide assistance (as requested) to system administrators during this period of "cleaning up" network computer systems. Clean-up may consist of removing added

(6)

programs and files, identifying systems whose password files were compromised, and restoring systems to a secure configuration so that no systems are left in a

compromised condition. As evidenced by their signature on this performance test agreement, Operations Office and site contractor representatives certify that the Department’s Banner and Warning Policy has been implemented at the site and network computer users have, as a result, granted constructive consent to this type of activity.

APPROVALS:

____________________________________________ Director, Office of Cyber Security and Special Reviews _________________________________________ Office of Chief Information Officer Representative _________________________________________ Lead Program Secretarial Office Representative __________________________________________ Operations Office Representative

__________________________________________ Site Contractor Representative

References

Related documents

the response contains at least one record in its answer section, then the record is cached if it matches the entry in the query section, while NS records in the Authority section

Trigeorgis.. If it turns out that the ROE on this business exceeds the current expected value of 8.95% in perpetuity and the firm can still invest only $500 million in book value

The findings in the present study support the impor- tance of assessing antenatal depressive symptomatology and monitoring Chinese women with significant antena- tal depressive

Services Leisure & Hospitality Healthcare Retail Construction Manufacturing Transportation Wholesale Local Government Financial Services Mining Other Services State

On the one hand ,The design and Implementation of the E-card managing system can make school administrative staff increase their working efficiency, get rid of the old fussy

Cannot be used with other discount or coupon or prior purchases after 30 days from original purchase with original receipt.. Offer good while

on the study of the acceleration of the body is considered to be valid and reliable for predicting the risk of falling or for discriminating between population groups with

training” [59]. The title encompasses the content of the session. Clearly, public health deficiencies in veterinary education are recognized by the AAVMC and ASPH. Should the