Re: How much do you disclose to customers?

["Stephen de Vries" <stephen () twisteddelight org>]

IMO it is good practice to keep a clear communication channel between
testers and clients.  Remember that the client has hired you to perform a
vulnerability assessment or penetration test and you're really both
working for the same side and unless there is a specific requirement to
conduct tests stealthily, I think you should be very open about sharing
information.

To many clients the process of pentesting is something of a mystery - all
they know is that there are some green haired tattoed teenagers (thanks
NAI) on the other side of the firewall trying to hack their site and the
only real result of the pentest is the report they receive after 5 days of
"work".  In my experience establishing an open communication channel with
the client gives them a degree of assurance that the work they've paid for
is indeed valuabled to their business.  The following could be considered,
depending on the client and what they hope to achieve from the pentest:

- A briefing with the admins, security manager and person who commissioned
the work _before_ any testing begins to explain the methodology that will
be followed, what sort of tests will be performed and how they can expect
these tests to impact their systems and their network.  Tests are often
performed on live, mission critical systems and the client needs assurance
that the testers are taking the necessary precautions to ensure that their
systems stay up.  Source IP addresses and the time of any DoS tests can be
arranged during this meeting.

- A daily conference call with relevant parties to summarize the tests
performed that day and also to discuss any significant findings.

- At the end of the test, the client receives the final report.  It may be
useful at this stage to arrange a presentation of the report to the
business owners.  This can be an important step in helping the client's
security team gain managements backing for implementing recommended
changes.

There's no need to harass sys-admins with every finding discovered, just
be open about what you're doing and how it will affect their systems.

2p

Stephen


> I am posting this for a user who is having difficulty posting directly to
> the list. Please reply to the list.
>
> -al
>
>
> To: Joe P <joe_nasdaq () yahoo com>
> Cc: pen-test () securityfocus com
> Subject: Re: How much do you disclose to customers?
>
>
> On Tue, 16 Dec 2003, Joe P wrote:
>
> > Hi everyone,
> >
> > I have a question on customer disclosure.  Is it wise to tell the
> customer  which IP addresses you'll be
> using before starting pen tests?
> > Cons for Telling:
> > I was thinking that if you did tell them you may get an over zealous,
> insecure admin that just sets up a
> filter to block you out to make him/herself look good.
> > Pros for Telling:
> > 1) if you don't tell them your IP address they may think your doing
> testing when in actuallity it's someone
> else (ie: a true cracker trying to break in).
> > 2) Audit trail reasons - if you trip up an IDS while doing testing they
> can ignore those alarms.
> > Also, how do testers handle multiple IP addresses?  Is there any benefit
> to doing it from multiple IP
> addresses??
> > How do testers distribute a test amongst multiple people?
> >
> > Lastly,  do you keep logs of tests performed just to cover yourself?
> (Ie: "Our server crashed on Saturday,
> it must have been something you did!!"")
> > thanks ahead of time,
> > Joe
>
> Alfred Huger
> Symantec Corp.
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------