How much do you disclose to customers?

[Alfred Huger <ah () securityfocus com>]

I am posting this for a user who is having difficulty posting directly to
the list. Please reply to the list.

-al


To: Joe P <joe_nasdaq () yahoo com>
Cc: pen-test () securityfocus com
Subject: Re: How much do you disclose to customers?


On Tue, 16 Dec 2003, Joe P wrote:

> Hi everyone,
>
> I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be
using before starting pen tests?
> Cons for Telling:
> I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.
> Pros for Telling:
> 1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
> 2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.
> Also, how do testers handle multiple IP addresses?  Is there any benefit
to doing it from multiple IP
addresses??
> How do testers distribute a test amongst multiple people?
>
> Lastly,  do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")
> thanks ahead of time,
> Joe

Alfred Huger
Symantec Corp.

---------------------------------------------------------------------------
----------------------------------------------------------------------------