Penetration Testing mailing list archives

RE: How much do you disclose to customers?

From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Thu, 18 Dec 2003 17:42:08 -0700

Depending on the wording of the contract between the consulting house
and the customer.  Some customers require that one discloses what
network one will be scanning from or potential modem assessment from.
In recent months, I have used a large coffee shop as a launching point
for most network based assessments and then relay via Wireless NAT, but
this is a mere possibility with all the HotSpots and Internet cafes..

/mark

-----Original Message-----
From: Alfred Huger [mailto:ah () securityfocus com] 
Sent: Thursday, December 18, 2003 1:14 PM
To: pen-test () securityfocus com
Subject: How much do you disclose to customers?




I am posting this for a user who is having difficulty posting directly
to the list. Please reply to the list.

-al


To: Joe P <joe_nasdaq () yahoo com>
Cc: pen-test () securityfocus com
Subject: Re: How much do you disclose to customers?


On Tue, 16 Dec 2003, Joe P wrote:

Hi everyone,

I have a question on customer disclosure.  Is it wise to tell the

customer  which IP addresses you'll be
using before starting pen tests?


Cons for Telling:
I was thinking that if you did tell them you may get an over zealous,

insecure admin that just sets up a
filter to block you out to make him/herself look good.


Pros for Telling:
1) if you don't tell them your IP address they may think your doing

testing when in actuallity it's someone
else (ie: a true cracker trying to break in).

2) Audit trail reasons - if you trip up an IDS while doing testing 
they

can ignore those alarms.


Also, how do testers handle multiple IP addresses?  Is there any 
benefit

to doing it from multiple IP
addresses??


How do testers distribute a test amongst multiple people?

Lastly,  do you keep logs of tests performed just to cover yourself?

(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")


thanks ahead of time,
Joe


Alfred Huger
Symantec Corp.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

How much do you disclose to customers? Alfred Huger (Dec 18)
- Re: How much do you disclose to customers? wirepair (Dec 19)
- Re: How much do you disclose to customers? Martin Mačok (Dec 19)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
  - Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- <Possible follow-ups>
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
  - RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
  - Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
  - Re: How much do you disclose to customers? Frank Knobbe (Dec 20)
- RE: How much do you disclose to customers? Brewis, Mark (Dec 19)
- RE: How much do you disclose to customers? Whiteside, Larry [contractor] (Dec 20)