RE: What is your policy on customers participating in a pen test?

["Spencer, Ed M. -ND" <Ed.M.Spencer.-ND () disney com>]

This is often the case when the customer has data that is highly
confidential, much to loose through damage to reputation, concerns about how
the data is collected, and maybe even issues regarding the ethics of the
company/people doing the job.  Either that or they want to watch you do it
so they can collect information so they can do it themselves next time, want
to make sure your company does it (not subbed out) and they want to make
sure it's more than just a couple products you picked up off the shelf and
ran against them. (or maybe they're just paranoid, like me)

One thing I've seen done is when pen testing is being done actively (someone
is actively breaking the security - not a script/canned product) the
customer watches over a remote control product (like VNC).  This allows them
to view what's going on, insure accurate results, and gives them piece of
mind for their network.  You can easily set up VNC to only allow them to
watch (no keyboard/mouse to them) and it's not platform specific.

Other things are to watch the wording in the contract and the intent.  Are
you providing ongoing pen testing/review (like the TruSecure process -
http://www.trusecure.com) or are you doing a one time audit/review (think
ISACA - http://www.isaca.org).  Is educating the customer part of the
contract requirements? (some education is usually expected.)  Do they want
this done again?  Will they try to do it themselves next time?

In the end I just recommend being cautious, discussing the requirements and
expectations up front.  </sarcasm-on>I don't recommend turning over your
tools to them, showing them step by step how to use them, and letting them
ghost your laptop. (We are in business to make money).</sarcasm-off>

I guess it's just a case of the customers wanting from us what we've
requested from software companies all along - full disclosure.

Ed Spencer
MCSE/MCT/CNA/A+/Network+
Security Analyst - IS Security
Renaissance Worldwide, Inc. - Walt Disney World
 
This communication is confidential, intended only for the named recipient(s)
above and may contain trade secrets or other information that is exempt from
disclosure under applicable law.  Any use, dissemination, distribution or
copying of this communication by anyone other than the named recipient(s) is
strictly prohibited.  If you have received this communication in error,
please immediately notify us by calling (407) 566-5195.  The ideas,
opinions, and information expressed within the above email are the express
sole opinion of the author and are not the opinion of the Walt Disney World
Corporation.  Thank you.



-----Original Message-----
From: Joe Klein [mailto:jsklein () mindspring com]
Sent: Tuesday, June 19, 2001 2:00 AM
To: pen-test () securityfocus com
Subject: What is your policy on customers particapating in a pen test?


All:

I am hearing customers request ( and some times demand ) that they be part
of a
pen test.

Currently, we offer the customer 4 - 8 hours of time to review findings and
show
them what we did, to access there systems. But we do this after the pen test
is
complete.

I was wondering how other companies deal with this issue?

J