Penetration Testing mailing list archives
RE: How much do you disclose to customers?
From: "Gary Everekyan" <geverekyan () univision net>
Date: Thu, 18 Dec 2003 20:00:20 -0500
In general... It all depends on the agreement. Usually the agreement is with executive level and they may pose time and ingress restrictions. It is important to define the scope, deliverables and stick to it. (when, from where, which tests, which members of MIS will participate, etc) As always having more recourses (people, tools, source addresses etc) will help greatly. Regards, Gary Everekyan CISSP, CISM, MCSE, MCT Information Security Manager Security and Audit -----Original Message----- From: Alfred Huger [mailto:ah () securityfocus com] Sent: Thursday, December 18, 2003 3:14 PM To: pen-test () securityfocus com Subject: How much do you disclose to customers? I am posting this for a user who is having difficulty posting directly to the list. Please reply to the list. -al To: Joe P <joe_nasdaq () yahoo com> Cc: pen-test () securityfocus com Subject: Re: How much do you disclose to customers? On Tue, 16 Dec 2003, Joe P wrote:
Hi everyone, I have a question on customer disclosure. Is it wise to tell the
customer which IP addresses you'll be using before starting pen tests?
Cons for Telling: I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a filter to block you out to make him/herself look good.
Pros for Telling: 1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone else (ie: a true cracker trying to break in).
2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.
Also, how do testers handle multiple IP addresses? Is there any benefit
to doing it from multiple IP addresses??
How do testers distribute a test amongst multiple people? Lastly, do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday, it must have been something you did!!"")
thanks ahead of time, Joe
Alfred Huger Symantec Corp. ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- The information contained in this e-mail and any attached documents may be privileged, confidential and protected from disclosure. If you are not the intended recipient you may not read, copy, distribute or use this information. If you have received this communication in error, please notify the sender immediately by replying to this message and then delete it from your system. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: How much do you disclose to customers?, (continued)
- Re: How much do you disclose to customers? Martin Mačok (Dec 19)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
- Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
- RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
- Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
- Re: How much do you disclose to customers? Frank Knobbe (Dec 20)
- RE: How much do you disclose to customers? Brewis, Mark (Dec 19)
- RE: How much do you disclose to customers? Whiteside, Larry [contractor] (Dec 20)