Penetration Testing mailing list archives

Re: How much do you disclose to customers?

From: Martin Mačok <martin.macok () underground cz>
Date: Fri, 19 Dec 2003 11:09:51 +0100

On Thu, Dec 18, 2003 at 01:13:43PM -0700, Alfred Huger wrote:

I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be using before starting pen
tests?


It depends. Sometimes management wants to test their security
including their network administrators (if they are capable of
detecting, preventing or proper acting on the attack). In this case,
network administrators do not know about the test so you don't tell
IPs to them. Management usually doesn't care about such technical
details like IP addresses... we just ask, if the addresses we will use
should be easily trackable to us (whois, reverse DNS etc.) or not.

You should resolve those issues before the test. Just tell them the
options ask them want they want. Sometimes they want you to tell the
IP and use *only* this IP for the test.

Cons for Telling: I was thinking that if you did tell them you may
get an over zealous, insecure admin that just sets up a filter to
block you out to make him/herself look good.


It would be strange if you can't reach their mailserver, webserver
etc. But yes, malicious admin could hide some problematic
services/nodes to you. But that's their problem, not yours.

Pros for Telling:
1) if you don't tell them your IP address they may think your
doing testing when in actuallity it's someone else (ie: a true
cracker trying to break in).


That's their problem, not yours :-)

2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.


That depends. If they usually act on IDS alarm in some way, they
should act the same way even in this case. But if they want to test their
vulnerabilities like there is no IDS ...

Also, how do testers handle multiple IP addresses?  Is there any
benefit to doing it from multiple IP addresses??


Yes. The attack could be made more hidden and they should have more
problems tracking your activities. Also, you sometimes loose
connection to the target and you should test if it is reachable from
different IP (so you are blocked) or if it is unreachable from all IPs
(so you probably crashed the device, and we usually call appropriate
person in this case).

Lastly,  do you keep logs of tests performed just to cover yourself?


Of course! The harmonogram (including source IPs) is a part of the
final report.

-- 
         Martin Mačok                 http://underground.cz/
   martin.macok () underground cz        http://Xtrmntr.org/ORBman/

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

How much do you disclose to customers? Alfred Huger (Dec 18)
- Re: How much do you disclose to customers? wirepair (Dec 19)
- Re: How much do you disclose to customers? Martin Mačok (Dec 19)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
  - Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- <Possible follow-ups>
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
  - RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)

(Thread continues...)