Penetration Testing mailing list archives
Re: How much do you disclose to customers?
From: "Stephen de Vries" <stephen () twisteddelight org>
Date: Sun, 21 Dec 2003 02:29:25 -0500 (EST)
IMO it is good practice to keep a clear communication channel between testers and clients. Remember that the client has hired you to perform a vulnerability assessment or penetration test and you're really both working for the same side and unless there is a specific requirement to conduct tests stealthily, I think you should be very open about sharing information. To many clients the process of pentesting is something of a mystery - all they know is that there are some green haired tattoed teenagers (thanks NAI) on the other side of the firewall trying to hack their site and the only real result of the pentest is the report they receive after 5 days of "work". In my experience establishing an open communication channel with the client gives them a degree of assurance that the work they've paid for is indeed valuabled to their business. The following could be considered, depending on the client and what they hope to achieve from the pentest: - A briefing with the admins, security manager and person who commissioned the work _before_ any testing begins to explain the methodology that will be followed, what sort of tests will be performed and how they can expect these tests to impact their systems and their network. Tests are often performed on live, mission critical systems and the client needs assurance that the testers are taking the necessary precautions to ensure that their systems stay up. Source IP addresses and the time of any DoS tests can be arranged during this meeting. - A daily conference call with relevant parties to summarize the tests performed that day and also to discuss any significant findings. - At the end of the test, the client receives the final report. It may be useful at this stage to arrange a presentation of the report to the business owners. This can be an important step in helping the client's security team gain managements backing for implementing recommended changes. There's no need to harass sys-admins with every finding discovered, just be open about what you're doing and how it will affect their systems. 2p Stephen
I am posting this for a user who is having difficulty posting directly to the list. Please reply to the list. -al To: Joe P <joe_nasdaq () yahoo com> Cc: pen-test () securityfocus com Subject: Re: How much do you disclose to customers? On Tue, 16 Dec 2003, Joe P wrote:Hi everyone, I have a question on customer disclosure. Is it wise to tell thecustomer which IP addresses you'll be using before starting pen tests?Cons for Telling: I was thinking that if you did tell them you may get an over zealous,insecure admin that just sets up a filter to block you out to make him/herself look good.Pros for Telling: 1) if you don't tell them your IP address they may think your doingtesting when in actuallity it's someone else (ie: a true cracker trying to break in).2) Audit trail reasons - if you trip up an IDS while doing testing theycan ignore those alarms.Also, how do testers handle multiple IP addresses? Is there any benefitto doing it from multiple IP addresses??How do testers distribute a test amongst multiple people? Lastly, do you keep logs of tests performed just to cover yourself?(Ie: "Our server crashed on Saturday, it must have been something you did!!"")thanks ahead of time, JoeAlfred Huger Symantec Corp. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- How much do you disclose to customers? Alfred Huger (Dec 18)
- Re: How much do you disclose to customers? wirepair (Dec 19)
- Re: How much do you disclose to customers? Martin Mačok (Dec 19)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
- Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- <Possible follow-ups>
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
- RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
(Thread continues...)