Penetration Testing mailing list archives
RE: How much do you disclose to customers?
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 18 Dec 2003 21:58:35 -0500
Before answering anything - my testing philosophy is that I'm trying to help the client find and fix their problems. I am normaly not in the case where I'm trying to 'smack' somebody. I'm normally working WITH IT so I'm gonna answer the questions from that perspective. Logging - I keep detailed logs. I don't quite log every command but I log all the major stuff. Partly to cover myself and partly so that if their server does crash, I can help them pinpoint the problem test. Pen-testing sometimes breaks things....better to have me break it than their competition...I'll help 'em get it fixed. Another reason for keeping detailed logs is 'cuz in 2 months, I may want to test something else and re-run a similar test. Some guys remember every command-line and combination for every test they run....me, I can't even remember which box it's on, or what directory it's located it;). Another reason, the client may want a follow-up test after they've fixed the problem. Attack IP - nope, I never tell them. I do ask them to contact me (actually, it's usually the sales guy as an intermediary) before they spend too much time tracking me down, getting me arrested, etc. I include in my report when they contacted me. I also include if they never contact me (normally they never notice it). If I suspected that I was being blocked, I'd try to work around that. I'd use a dialup connection, go over to my mom's, anything. If they're proactively blocking me, I would figure out what it took to get a block, document it and see if I could get their DNS servers, external web site and root DNS servers blocked....at least to a degree. I do not try to take my clients out of business unless they specifically ask for a heavy DOS test and most do not. I also do testing at all kinds of goofy times. If they try to take boxes down to avoid testing....well, have fun;) -----Original Message----- From: Alfred Huger [mailto:ah () securityfocus com] Sent: Thursday, December 18, 2003 3:14 PM To: pen-test () securityfocus com Subject: How much do you disclose to customers? I am posting this for a user who is having difficulty posting directly to the list. Please reply to the list. -al To: Joe P <joe_nasdaq () yahoo com> Cc: pen-test () securityfocus com Subject: Re: How much do you disclose to customers? On Tue, 16 Dec 2003, Joe P wrote:
Hi everyone, I have a question on customer disclosure. Is it wise to tell the
customer which IP addresses you'll be using before starting pen tests?
Cons for Telling: I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a filter to block you out to make him/herself look good.
Pros for Telling: 1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone else (ie: a true cracker trying to break in).
2) Audit trail reasons - if you trip up an IDS while doing testing
they can ignore those alarms.
Also, how do testers handle multiple IP addresses? Is there any
benefit to doing it from multiple IP addresses??
How do testers distribute a test amongst multiple people? Lastly, do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday, it must have been something you did!!"")
thanks ahead of time, Joe
Alfred Huger Symantec Corp. ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- How much do you disclose to customers? Alfred Huger (Dec 18)
- Re: How much do you disclose to customers? wirepair (Dec 19)
- Re: How much do you disclose to customers? Martin Mačok (Dec 19)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
- Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- <Possible follow-ups>
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
- RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
- Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
(Thread continues...)