![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
RE: How much do you disclose to customers?
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 19 Dec 2003 19:35:01 +0100 (CET)
On Fri, 19 Dec 2003, Kinnane, Scott wrote:
I'd explain to the customer that in a real security attack, you don't know the source of the attack when it starts, so you need to simulate as real a situation as possible. The logs would come in handy as you could offer that as proof of what was coming from you.
It only makes sense if you already know an attack vector, and want to test response procedures and incident awareness. In all other cases (meaning, a typical pen-test), it is wise to tell the customer, simply because you do NOT want them to initiate a response, immediately bring systems down if there is a suspicion one of the attacks might have succeeded, etc (let alone contacting your ISP). But more importantly, you want them to be prepared for eventual consequences, for example a downtime resulting of an intentional (or accidental) DoS-type test. I do not think, however, that it is wise to mix both response analysis and vulnerability assessment, or that it is feasible to do so without compromising the completeness of the pen-test itself. My $.02, I suppose there would be just as many views as posters in the thread. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-12-19 19:30 -- http://lcamtuf.coredump.cx/photo/current/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: How much do you disclose to customers?, (continued)
- Re: How much do you disclose to customers? wirepair (Dec 19)
- Re: How much do you disclose to customers? Martin Mačok (Dec 19)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
- Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
- RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
- Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
- Re: How much do you disclose to customers? Frank Knobbe (Dec 20)
- RE: How much do you disclose to customers? Brewis, Mark (Dec 19)
- RE: How much do you disclose to customers? Whiteside, Larry [contractor] (Dec 20)