Penetration Testing mailing list archives
RE: What is your policy on customers participating in a pen test?
From: "Dom De Vitto" <dom () devitto com>
Date: Wed, 20 Jun 2001 21:55:50 +0100
No UK bank will allow even DERA employees (the UK govmt's pen testing service) to just plod around a computer room. I personally would just put the phone down on any company that wanted to hide or conceal it's practice in any way. I've heard of some pen test services tcpdumping all the pen test traffic, so they can audit the pen testers, and rebuke "you crashed the wrong machine, so we're going to sue you.". Dom -----Original Message----- From: Vanja Hrustic [mailto:vanja () relaygroup com] Sent: 20 June 2001 11:01 To: Joe Klein Cc: pen-test () securityfocus com Subject: Re: What is your policy on customers particapating in a pen test? On Tue, Jun 19, 2001 at 01:59:45AM -0400, Joe Klein wrote:
All: I am hearing customers request ( and some times demand ) that they be part of a pen test. Currently, we offer the customer 4 - 8 hours of time to review findings and show them what we did, to access there systems. But we do this after the pen test is complete. I was wondering how other companies deal with this issue?
There is no reason you shouldn't let them see what you are doing. In some cases, you don't even have a choice. In some countries (at least in Asia-Pacific region) banks (or insurance companies) must have a 3rd party 'audit' (as they call pen-test) performed from their premises, or at least from the 'soil' where the company is located. Sounds silly, but it's true. Usually, you'd have to do it in their offices, with few people watching what you're doing. Granted, 1st day they might be staring at your screen, but next day they might be just reading newspapers while you're doing your stuff. In case you're doing some work for govts, you will have to do the job from their office, using their equipment, with their people never leaving you alone in a room. Some companies argue that they can't let anyone see what they're doing, because of their 'proprietary techniques'. Right - pentesting is really a rocket science, isn't it? ;) That's pretty crappy argument, and from what I've "heard", few companies basically use that argument in order to make sure the clients don't see that pentest consists of running ISS or CyberCop or Nessus. Bottom line: get used to requests like this, since it's becoming a requirement (as a part of a law) in some countries. Vanja
Current thread:
- What is your policy on customers particapating in a pen test?, (continued)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 19)
- RE: What is your policy on customers particapating in a pen test? Ken Pfeil (Jun 21)
- Re: What is your policy on customers particapating in a pen test? GBH (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 19)
- RE: What is your policy on customers participating in a pen test? Ken Halbeck (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 20)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 22)
- RE: What is your policy on customers particapating in a pen test? Bojan Zdrnja (Jun 25)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- RE: What is your policy on customers participating in a pen test? Dom De Vitto (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Gary Warner (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 21)