Penetration Testing mailing list archives
RE: How much do you disclose to customers?
From: "Kinnane, Scott" <Scott.Kinnane () ISATechnologies com>
Date: Fri, 19 Dec 2003 11:39:20 +0800
I'd explain to the customer that in a real security attack, you don't know the source of the attack when it starts, so you need to simulate as real a situation as possible. The logs would come in handy as you could offer that as proof of what was coming from you. At least if they (including technical staff) know a time when you are doing the test, they can be prepared for consequences and as you say, ignore your attempts. I know this contradicts my previous point, but hey... Put it this way: if I were the customer, I'd rather know that my security measures are so thoroughly tested by your tests that they are as bullet proof as possible. scott
-----Original Message----- From: Alfred Huger [mailto:ah () securityfocus com] Sent: Friday, 19 December 2003 4:14 AM To: pen-test () securityfocus com Subject: How much do you disclose to customers? I am posting this for a user who is having difficulty posting directly to the list. Please reply to the list. -al To: Joe P <joe_nasdaq () yahoo com> Cc: pen-test () securityfocus com Subject: Re: How much do you disclose to customers? On Tue, 16 Dec 2003, Joe P wrote:Hi everyone, I have a question on customer disclosure. Is it wise to tell thecustomer which IP addresses you'll be using before starting pen tests?Cons for Telling: I was thinking that if you did tell them you may get anover zealous, insecure admin that just sets up a filter to block you out to make him/herself look good.Pros for Telling: 1) if you don't tell them your IP address they may think your doingtesting when in actuallity it's someone else (ie: a true cracker trying to break in).2) Audit trail reasons - if you trip up an IDS while doing testing theycan ignore those alarms.Also, how do testers handle multiple IP addresses? Is there any benefitto doing it from multiple IP addresses??How do testers distribute a test amongst multiple people? Lastly, do you keep logs of tests performed just to cover yourself?(Ie: "Our server crashed on Saturday, it must have been something you did!!"")thanks ahead of time, JoeAlfred Huger Symantec Corp. -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- How much do you disclose to customers? Alfred Huger (Dec 18)
- Re: How much do you disclose to customers? wirepair (Dec 19)
- Re: How much do you disclose to customers? Martin Mačok (Dec 19)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
- Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- <Possible follow-ups>
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
- RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
- Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
- Re: How much do you disclose to customers? Frank Knobbe (Dec 20)
- RE: How much do you disclose to customers? Brewis, Mark (Dec 19)
- RE: How much do you disclose to customers? Whiteside, Larry [contractor] (Dec 20)