Port scanning is essential to network security. IT companies scan systems every day. They help to confirm network configurations and compliance with security policies.
But hackers also scan systems. They use scanners to gather information on potential targets and their vulnerabilities. As a result, port scans can be seen as precursors to attacks.
Millions – if not billions – of unauthorized scans occur every day. In one study spanning 12 years, a single site received 23.4 billion scans.
With their role in cyberattacks, and their ubiquitous use by IT firms and security consultants, a question is raised: are port scans legal?
In the U.S., no federal law exists to ban port scanning.
At the state and local level, no clear guidelines exist.
However – while not explicitly illegal – port and vulnerability scanning without permission can get you into trouble:
The amount of risk associated with a port scan is largely based on whether it’s authorized. If you did not receive permission, then you’re at greater risk of backlash. If you did receive permission – then get it in writing and signed.
This creates a problem for IT companies and managed security providers. They regularly scan their clients’ systems for legitimate reasons.
If a client relationship turns sour, and the client uses your scan as an excuse to drag you into court, how can you protect yourself?
These suggestions come from the SANS report, Minimizing Legal Risk When Using Cybersecurity Scanning Tools.
Obtain Written Consent
First, always get permission before scanning a system you do not own. The permission must be in writing and signed by both parties – the scanner and the system owner.
This document provides legal protection if the system’s owner takes you to court.
Verbal permission is not always enough – as shown in the case of Stefan Puffer, a Houston-based security consultant.
Puffer performed a “war driving” exercise in 2002 alongside the head of Harris County’s Central Technology Dept. and a newspaper reporter. The exercise demonstrated vulnerabilities in systems maintained by the county clerk’s office.
County officials later sued Puffer for hacking, despite doing so with the presence and verbal permission of the county’s head of IT. Although acquitted by a jury, the case cost him tens-of-thousands of dollars in legal fees, according to a SANS report.
Include a Statement of Work
The written consent should be part of a scanning plan or a statement of work. This document can include the following:
This information, combined with a statement of consent, can be used as evidence if the motivations or methods of the scan are ever questioned.
Confirm the Scanner’s Accuracy
Security scanners can be fickle. False negatives – such as a scanner showing a vulnerable system is safe – are common.
If you want the results of your port scans to serve as evidence in court, then you should take action to demonstrate their accuracy.
Tips to confirm the accuracy of your scanners:
Without proof that you have worked to ensure the accuracy of your scanning tools, attorneys can attack the validity of your scan results in court. By taking the actions above, you can help ensure the results hold up.
Another way to protect yourself is to minimize the impact of your scans on the client’s environment.
Target the scan as tightly as possible:
These actions – documented in a statement of work – will help prove your port scanning was responsible and limited, and will also help prevent complaints from other stakeholder’s in the client’s office.
The circumstances of a port scan, including your actions before and after, will also signal your intentions. These can work for you or against you in court.
So always have good intentions. Always have a legitimate reason to perform your scan and always document your work.
Armed with a legitimate reason and the owner’s written consent – you can help ensure your company avoids becoming a “rare case” in a court room.