Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How much do you disclose to customers?

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 19 Dec 2003 19:35:01 +0100 (CET)
On Fri, 19 Dec 2003, Kinnane, Scott wrote:


I'd explain to the customer that in a real security attack, you don't
know the source of the attack when it starts, so you need to simulate as
real a situation as possible. The logs would come in handy as you could
offer that as proof of what was coming from you.


It only makes sense if you already know an attack vector, and want to test
response procedures and incident awareness.

In all other cases (meaning, a typical pen-test), it is wise to tell the
customer, simply because you do NOT want them to initiate a response,
immediately bring systems down if there is a suspicion one of the attacks
might have succeeded, etc (let alone contacting your ISP). But more
importantly, you want them to be prepared for eventual consequences, for
example a downtime resulting of an intentional (or accidental)  DoS-type
test.

I do not think, however, that it is wise to mix both response analysis and
vulnerability assessment, or that it is feasible to do so without
compromising the completeness of the pen-test itself.

My $.02, I suppose there would be just as many views as posters in the
thread.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-12-19 19:30 --

   http://lcamtuf.coredump.cx/photo/current/

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: