Re: Internet access for security consultants - pen tests, attack traffic, bulk e-mail, etc.

[Andrew Kerr <andrew () thekerrs ca>]

I work for a MSSP (Managed Security Services Provider) that provides some
of these services including vulnerability scanning and such.  If it's a
legitimate provider doing work for customers, you should never get a
complaint about their activities.  Before we do any kind of scan, we have a
contract in place with the customer and include the IP(s) we'll be scanning
from and the range of IPs we'll be scanning (assuming this is an external
scan).  If they're not getting permission from customers first, they are
almost certainly breaking laws by scanning systems they don't have
permission to, and I wouldn't host them.

Assuming  you have a legal department, just make sure that you put
something that says this type of activity will only be permitted when the
target has agreed to the scan in advance.  If you get some complaints,
investigate, and if they're breaking the contract, turf them.


On Mon, 11 Sep 2017 at 16:01 james machado <hvgeekwtrvl () gmail com> wrote:

> On Mon, Sep 11, 2017 at 3:40 PM, Sean Pedersen <spedersen.lists () gmail com>
> wrote:
>
> > We were recently approached by a company that does security consulting.
> > Some
> > of the functions they perform include discovery scans, penetration
> testing,
> > bulk e-mail generation (phishing, malware, etc.), hosting fake botnets -
> > basically, they'd be generating a lot of bad network traffic. Targeted at
> > specific clients/customers, but still bad. As an ISP, this is new
> territory
> > for us and there are some concerns about potential impact, abuse reports,
> > reputation, authorization to perform such tests, etc.
> >
> >
> >
> > Does anyone have experience in this area that would be willing to offer
> > advice?
> >
> >
> > From a customer point of view:
>
> We have written agreements with our vendors on who they can and can not
> send this traffic from, where exactly it is coming from and what type of
> traffic it will be.  One reason our vendor does this is to not get on black
> hole/spam lists or to cause their ISP issues, as well as having proof that
> they are allowed to send specific traffic to specific addresses for a
> specific time period.  The test managers then know what to expect and to
> head off abuse notifications after detection of the specific traffic.  We,
> also, use this traffic to test other vendors we might have and only after
> detection we will have white lists or black lists put in place as
> warranted.
>
> I would expect the company in question to be able to provide documentation
> that could track any specific traffic back to an engagement that has the
> approval of their customer.  If they have been around for a bit they should
> have a track record and may have current IP space that could be vetted to
> see what condition it is in.  Are they leaving it or adding too it.  If
> they are leaving their current space then find out why.
>
> James