Penetration Testing mailing list archives
Re: How much do you disclose to customers?
From: Martin Mačok <martin.macok () underground cz>
Date: Fri, 19 Dec 2003 11:09:51 +0100
On Thu, Dec 18, 2003 at 01:13:43PM -0700, Alfred Huger wrote:
I have a question on customer disclosure. Is it wise to tell the customer which IP addresses you'll be using before starting pen tests?
It depends. Sometimes management wants to test their security including their network administrators (if they are capable of detecting, preventing or proper acting on the attack). In this case, network administrators do not know about the test so you don't tell IPs to them. Management usually doesn't care about such technical details like IP addresses... we just ask, if the addresses we will use should be easily trackable to us (whois, reverse DNS etc.) or not. You should resolve those issues before the test. Just tell them the options ask them want they want. Sometimes they want you to tell the IP and use *only* this IP for the test.
Cons for Telling: I was thinking that if you did tell them you may get an over zealous, insecure admin that just sets up a filter to block you out to make him/herself look good.
It would be strange if you can't reach their mailserver, webserver etc. But yes, malicious admin could hide some problematic services/nodes to you. But that's their problem, not yours.
Pros for Telling: 1) if you don't tell them your IP address they may think your doing testing when in actuallity it's someone else (ie: a true cracker trying to break in).
That's their problem, not yours :-)
2) Audit trail reasons - if you trip up an IDS while doing testing they can ignore those alarms.
That depends. If they usually act on IDS alarm in some way, they should act the same way even in this case. But if they want to test their vulnerabilities like there is no IDS ...
Also, how do testers handle multiple IP addresses? Is there any benefit to doing it from multiple IP addresses??
Yes. The attack could be made more hidden and they should have more problems tracking your activities. Also, you sometimes loose connection to the target and you should test if it is reachable from different IP (so you are blocked) or if it is unreachable from all IPs (so you probably crashed the device, and we usually call appropriate person in this case).
Lastly, do you keep logs of tests performed just to cover yourself?
Of course! The harmonogram (including source IPs) is a part of the final report. -- Martin Mačok http://underground.cz/ martin.macok () underground cz http://Xtrmntr.org/ORBman/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- How much do you disclose to customers? Alfred Huger (Dec 18)
- Re: How much do you disclose to customers? wirepair (Dec 19)
- Re: How much do you disclose to customers? Martin Mačok (Dec 19)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
- Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- <Possible follow-ups>
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
- RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
(Thread continues...)