Cybersecurity: Please Try to Not Get Sued (Or Arrested)

 

If you are just coming into cybersecurity, pump the brakes and let's chat about how to not get sued.. or worse.

The Background - this message on LinkedIn from last night:

Let's break this down:

• NMAP could be considered OSINT. 
• OSINT - is the collection and analysis of data gathered from open sources (covert and publicly available sources) to produce actionable intelligence. See Wikipedia page for categories.
• Doing NMAP scans on "potential clients" without permission is against NMAP terms and conditions. Unauthorized port scanning, for any reason, is strictly prohibited.
• You could face legal action if you perform unauthorized scanning & assessments, and jail time absolutely if you knowingly access without permission.  

In the comments, a student from WGU was advocating for OP:

The breakdown on this one: 

• His is misinformed.

At first, I was frustrated that these two individuals, people who appear smart and passionate to network, seemed to be missing a major components of the basics. 

Then, the post was deleted and reposted today (troll-ey, if you ask me). 

Regardless of if this is real or simply troll activity, it felt a good time to toss out some resources around staying behind that legal and ethical line. 

Terms & Conditions (T&C), Contracts, Cyber Law Basics, Oh My!

Some of the easy and impressive education is in the realm of terms, conditions, contracts, and laws. Not many people interviewing for their first cyber role can speak the basics of cyber law at the same time they can describe an injection attack. Here are some resources and thoughts, broken down by type of content. 

Terms & Conditions

• If you are spending the time to find a tool, to modify it, and use it then you have time to scan the T&Cs and understand any acceptable use policies. 

Contracts

• If you don't have a signed contract from a client that has a scope of work, rules of engagement, time frames & milestones, payment terms, confidentiality, and termination - don't scan or access. 
• Here are some examples of these documents:
• What is a Penetration Testing Agreement?
• Penetration Testing Agreement
• Penetration Testing Sample Clauses
• Contract For Penetration Testing
• If you are looking for practice, there are many websites that offer real world training. They include:
• https://tryhackme.com/
• https://www.hackthebox.com/
• https://owasp.org/www-project-juice-shop/
• https://pentesterlab.com/
• https://portswigger.net/web-security
• https://www.hackthissite.org/
• & many, many, many others

Cyber Law Basics

Several ideas:

• I am not a lawyer, I won't give you specific advice on cyber law.   
• If you have specific questions about cyber law or about something you are going to do & if it is legal, get a lawyer. 
• Resources: 
• Self Education Material
• https://www.upcounsel.com/cyber-law
• Courses 
• https://www.udemy.com/course/cyber-law-analyst/ - wait for this to be free or low cost. 
• Videos, Podcasts, other
• Clubhouse rooms like https://www.clubhouse.com/club/law-tech-infosec  (great to ask questions in)
• I echo this list of podcasts: https://blog.feedspot.com/cyber_law_podcasts/

Conclusion

F**k around and find out is often celebrated in the cyber world. Here, not so much. 

One last thing - we're on the internet so don't believe everything you read, even on LinkedIn. If you have questions about best practices, a great place to join is the TCM Security or Red Siege Discord channels (there are many others too), and find people who are experts in the field. People are as much resources as any website will be. 

Thanks for reading & please let me know if I should expand on any other topic in this space.