Port scanning is essential to network security. IT companies scan systems every day. They help to confirm network configurations and compliance with security policies.
But hackers also scan systems. They use scanners to gather information on potential targets and their vulnerabilities. As a result, port scans can be seen as precursors to attacks.
Millions – if not billions – of unauthorized scans occur every day. In one study spanning 12 years, a single site received 23.4 billion scans.
With their role in cyberattacks, and their ubiquitous use by IT firms and security consultants, a question is raised: are port scans legal?
Is Port Scanning Legal?
In the U.S., no federal law exists to ban port scanning.
At the state and local level, no clear guidelines exist.
However – while not explicitly illegal – port and vulnerability scanning without permission can get you into trouble:
- Civil lawsuits – The owner of a scanned system can sue the person who performed the scan. Even if unsuccessful, the case can waste time and resources on legal costs.Though extremely rare, one IT consultant was arrested and sued after a port scan.
- Complaints to ISP – The owner of a scanned system can report the scanner’s IP to the associated ISP. Many ISPs prohibit unauthorized port scanning. Some will take action – such as with reprimands or canceling of service.
The amount of risk associated with a port scan is largely based on whether it’s authorized. If you did not receive permission, then you’re at greater risk of backlash. If you did receive permission – then get it in writing and signed.
IT Companies: What Should You Do?
This creates a problem for IT companies and managed security providers. They regularly scan their clients’ systems for legitimate reasons.
If a client relationship turns sour, and the client uses your scan as an excuse to drag you into court, how can you protect yourself?
These suggestions come from the SANS report, Minimizing Legal Risk When Using Cybersecurity Scanning Tools.
Obtain Written Consent
First, always get permission before scanning a system you do not own. The permission must be in writing and signed by both parties – the scanner and the system owner.
This document provides legal protection if the system’s owner takes you to court.
Verbal permission is not always enough – as shown in the case of Stefan Puffer, a Houston-based security consultant.
Puffer performed a “war driving” exercise in 2002 alongside the head of Harris County’s Central Technology Dept. and a newspaper reporter. The exercise demonstrated vulnerabilities in systems maintained by the county clerk’s office.
County officials later sued Puffer for hacking, despite doing so with the presence and verbal permission of the county’s head of IT. Although acquitted by a jury, the case cost him tens-of-thousands of dollars in legal fees, according to a SANS report.
Include a Statement of Work
The written consent should be part of a scanning plan or a statement of work. This document can include the following:
- Dates and times for scanning
- IP ranges to be scanned
- Names of systems and networks to be scanned
- Scanning tools to be used
- People conducting the scans
- If a remote scan is planned, include the IP address of the scanning tool
This information, combined with a statement of consent, can be used as evidence if the motivations or methods of the scan are ever questioned.
Confirm the Scanner’s Accuracy
Security scanners can be fickle. False negatives – such as a scanner showing a vulnerable system is safe – are common.
If you want the results of your port scans to serve as evidence in court, then you should take action to demonstrate their accuracy.
Tips to confirm the accuracy of your scanners:
- Routinely perform scans with different tools and compare results
- Periodically test scans against known environments and confirm results
- Periodically scan systems and separately perform penetration tests to confirm the results
- Document all tests used to confirm scanner accuracy
Without proof that you have worked to ensure the accuracy of your scanning tools, attorneys can attack the validity of your scan results in court. By taking the actions above, you can help ensure the results hold up.
Another way to protect yourself is to minimize the impact of your scans on the client’s environment.
Target the scan as tightly as possible:
- Do not scan IP ranges beyond those for which you need information
- Do not perform vulnerability scans when a simple ping scan will do
- If you are targeting specific services (such as web servers on port 80), then scan only the associated ports, not all ports.
These actions – documented in a statement of work – will help prove your port scanning was responsible and limited, and will also help prevent complaints from other stakeholder’s in the client’s office.
The Value of Good Intentions
The circumstances of a port scan, including your actions before and after, will also signal your intentions. These can work for you or against you in court.
So always have good intentions. Always have a legitimate reason to perform your scan and always document your work.
Armed with a legitimate reason and the owner’s written consent – you can help ensure your company avoids becoming a “rare case” in a court room.