Matthews Bark – Don’t let a penetration test land you in legal hot water

Source     : Tech Republic
By            : Taylor Gillan
Category : Attorney Matthews BarkMatthews Bark

Don't let a penetration test land you in legal hot water
Don’t let a penetration test land you in legal hot water

Penetration (pen) testing is a valuable way to determine how resistant an organization’s digital infrastructure is to outsider attack. What better way to check a network’s security than giving scary-smart individuals permission to hack it. The authors of this SANS Institute paper about pen testing — Stephen Northcutt, Jerry Shenk, Dave Shackleford, Tim Rosenberg, Raul Siles, and Steve Mancini — make an interesting point, saying, “The main thing that separates a penetration tester from an attacker is permission. The penetration tester will have permission from the owner of the computing resources that are being tested.”

What exactly does permission mean?
Employing an outside party to attack an organization’s network while the organization continues normal operation is the only realistic way to test. However, it introduces certain challenges. Enough that Michael R. Overly, a Partner and Intellectual Property Lawyer with Foley and Lardner LLP, urges caution when negotiating the contract for a security audit involving pen testing. If you are wondering what a lawyer knows about pen testing, Overly is not your normal attorney. He has a slew of security certifications including CISA, CIPP, CISSP, ISSMP, and CRISC, has written about information security, and is recognized by peers for his information-security mettle.

Considerations for organizations requesting a pen test

Here are the precautions and considerations Overly suggests in this National Law Review post for companies seeking a security audit. The organization requesting a security audit should consider having the auditor represented by legal counsel: Doing so will afford the organization an opportunity to protect the audit and its results with attorney-client privilege and under the attorney work product doctrine. Overly also suggests, “Ask to review the report in draft form to make any changes before it is placed in the final form.” Treat the audit agreement as a professional services engagement: Ensure the work is clearly detailed in a well-drafted statement of work and that all costs are identified. Overly warns, “Beware of ‘scope creep’: new services that are added as the project progresses. Allowing creep may add significant costs and may not be protected by stipulations in the contract.” Think carefully before permitting unannounced penetration tests: At least some coordination should be given to ensure the operation of critical systems is not disrupted during key operating hours or month-end processing. Do not permit the audit agreement to create more risk than it is intended to resolve: This means ensuring the auditor assumes an appropriate level of responsibility. Overly offers the following reasons why this is important:

– Audit agreements normally do not include sufficient language regarding obligations of the pen tester concerning information security and confidentiality.
– The auditor will have access to sensitive data and details of how the organization secures its systems. That means strong security and confidentiality obligations, plus a level of liability that ensures the pen tester will comply with those obligations.

Overly further cautions, “Beware of auditors who are unwilling to provide reasonable protection for sensitive information.” Review language in the agreement permitting the auditor to remove data for off-site review: If such activity is permitted, the agreement should make clear the following:

-The data cannot be made available outside the country (unless specific controls are employed).
-The auditor cannot remove personally-identifiable data that may be subject to specific laws or regulations without first committing to be bound by those laws and regulations.
-The auditor cannot take possession of credit-card information unless there is an express need for possession, and the auditing company and or pen tester are fully compliant with the Payment Card Industry Data Security Standard.

Overly advises, “It is far better, however, to prohibit the pen tester from removing such data in the first place, given its sensitivity.”

Considerations for security auditors

Mark Rasch, in his SecurityCurrent column Legal Issues in Penetration Testing, looks at the implications a security auditor faces when performing a penetration test. First up, is recognizing that computer crime laws such as 18 USC 1030 come into play. Rasch writes, “18 USC 1030 makes it a crime to access or attempt to access a computer or computer network without authorization or in excess of authorization. What constitutes ‘authorization’ and who can authorize such access can quickly get muddy.” “So the lesson learned here is that penetration testing, even when authorized, can result in a host of legal trouble,” continues Rash. “The pen tester should obtain a ‘get out of jail free’ card from the customer, specifically indicating not only that the pen testing is authorized, but also indicating that the customer has the legal authority to authorize the pen test.” Rash offers the following suggestions of what else should be in the contract:

-Indicate what the auditor will do (and will not do) and the range of IP addresses, subnets, computers, networks, or devices that will be the subject of the pen test.
-If a software review is being asked for, ensure the copyright to the software permits reverse engineering or code review.
-If a pen tester is to test a network in the cloud, permission must be obtained from the cloud provider.

Sensitive data
Rash spent considerable energy speaking to the likelihood of auditors bumping into sensitive data. “A successful pen test can result in the pen tester getting into a computer or computer network that they should not have had the ability to access,” he writes. “Also, it may include accessing data or databases that contain sensitive personal information, credit-card information, personally identifiable information (PII) or Private Health Information (PHI).”
Next, Rash introduces the following must ask questions when sensitive data is involved:

– Is the access to the information by the pen tester a “breach” of the database which must be reported?
– Must the pen tester sign a “Business Associate Agreement” agreeing to protect the data they just accessed?

During an email conversation, Overly brought up a not often thought about consequence regarding sensitive data. “The party conducting the test will gain highly sensitive information regarding the other party’s security measures,” he writes. “If that information were to be revealed to third parties, it could permit a hacker to compromise the tested systems.” Like most things, the actual work almost seems easier than all the paperwork and planning that must happen before a penetration test even begins. However, a well-worn cliche seems to apply here: “Better to be safe than sorry.”

Read More :

Matthews Bark Criminal Defense – Can I use that? A Legal Primer For Journalists

Source     : CJR Org
By            : Jonathan Peters
Category : Attorney Matthews Bark of Orlando, Matthews Bark Criminal Defense

Bail Bonds In Orlando Fl - Can I use that? A Legal Primer For Journalists
Can I use that? A Legal Primer For Journalists

As a media law scholar and practicing media lawyer, I field all manner of questions every week—from students, journalists, editors, and others. Whether I’m speaking generally to a non-client or giving specific legal advice to a client, I’ve noticed that the questions fall into three broad categories:

Can I use that?
Can I say that?
Can I do that?

Within each category, some issues come up more than others. They’re the greatest hits, so to speak, and I’m going to begin sampling that album with you here—starting with the category Can I use that? Future stories will explore the other two categories. Keep in mind that I’m a lawyer, not your lawyer (unless I actually am your lawyer), and these comments shouldn’t be construed as legal advice.

How to obtain a copyright

Can I use that? questions are typically copyright questions. First, freelancers want to know how to obtain a copyright in something they created. This is sort of the inverse of Can I use that? The person wants to know how to control the way others use her work. So, assuming a work is copyrightable in the first place (some things, like facts and short phrases, are not), it’s copyrighted upon creation. Generally, the copyright is owned by whoever created the work. But if it’s created in the course of employment, it’s usually considered a “work for hire” and owned by the employer. The New York Times, for example, owns the copyright in articles written by its employees. Among freelancers, copyright ownership depends on the rights articulated in their contracts. It’s not ​uncommon for freelancers and their publications to share copyrights in some way. Now, even though a work is copyrighted upon creation, it’s prudent for the owner to register the work with the US Copyright Office. Registration puts the world on notice of the copyright, and allows the owner to enforce the right in court. Plus, the federal copyright statute entitles the owner to statutory damages if she registers the work before infringement or within three months of the work’s publication. That’s helpful because it means the owner doesn’t have to prove actual losses in an enforcement ​suit. And, although this isn’t required to obtain a copyright, I usually advise my clients—especially the photojournalists—to place a copyright notice on each of their works. To be most effective, it should include the owner’s name, the year the work was created, and the copyright symbol. Why do I give that advice? If the client needs to enforce her copyright in court, notice takes away the defendant’s ability to claim that he innocently infringed, a defense that can ​mitigate the owner’s damages.

Fair use

Lots of people ask me about fair use, the doctrine that allows you to use a copyrighted work without permission. First, understand that the goal of copyright law is not only to protect the rights of people who create content but also “to promote the progress of science and useful arts,” according to the Constitution. Allowing creators to enforce their copyrights in all cases would frustrate the latter, so the courts and Congress adopted the fair use doctrine to allow uses of copyrighted works that would benefit society. I spend my time in this area disabusing people of misconceptions—that you can sample up to 10 seconds of an audio recording, or copy up to three paragraphs of a book, or use whatever you want as long as it’s newsworthy or included in a news report. In reality, there are no such bright-line rules. To determine whether a use is fair, a court considers four factors. The first is the purpose and character of the use (chiefly whether it’s for criticism, comment, news reporting, teaching, or research, all of which favor fair use). The second is the nature of the copyrighted work itself (whether, say, it was unpublished, which is entitled to greater protection). The third is the amount and substantiality of the portion used in relation to the work as a whole (the more of the original work used, the more likely it’s an infringement). And the fourth is the effect of the use on the market for, or value of, the copyrighted work (uses that supplant the original work in the marketplace are unlikely to be fair). No single factor is determinative, and notably the fact that something is newsworthy, or used in a news report, does not automatically make its use fair. That’s probably where I spend the most time educating people. Using a ​copyrighted ​work for a news report will be considered as part of factor one, but that does not end the analysis—the court will go on to consider the other factors, and if they don’t favor fair use, then your use won’t be protected.

Linking and embedding

The last major Can I use that? issue is linking. As we surf the Web, we rely greatly on links to navigate from page to page—to look up related content. And news organizations increasingly are using links to provide access to their source material. But what if you post something that links to copyrighted or infringing content? Are you liable under prevailing copyright rules? Different types of linking present different copyright issues, and the law is not entirely settled here—so I’ll hit the two most important points that (for the most part) are settled. First, “deep linking” is what most of us think of when we think of linking. It means placing a link on your site that leads to a page on another site. Doing that, generally, does not constitute copyright infringement—even if the other site is hosting copyrighted or infringing content​. Second, “inline linking” is what most of us call embedding. It means placing a line of HTML code in your site so it displays content directly from another site (e.g., embedding a tweet in a news story). That does not, generally, infringe any​ copyright because no copy of the embedded content has been made—the inline link is simply a piece of code that represents the content as it exists on the originating site. Moreover, most third-party platforms, like Twitter, include in their terms of service a provision that says the user permits others to embed his or her content. Which raises a related issue: Embedding copyrighted content may be okay, but screenshotting it and posting the screenshot is not. That’s basically the electronic equivalent of making a copy of the work, putting it squarely in the crosshairs of copyright law. So, if you find content on social media and want to use it (e.g., in an online news story), embedding is the safest way to do it—not screenshotting.

Read More :