RE: How much do you disclose to customers?

["Jerry Shenk" <jshenk () decommunications com>]

Before answering anything - my testing philosophy is that I'm trying to
help the client find and fix their problems.  I am normaly not in the
case where I'm trying to 'smack' somebody.  I'm normally working WITH IT
so I'm gonna answer the questions from that perspective.

Logging - I keep detailed logs.  I don't quite log every command but I
log all the major stuff.  Partly to cover myself and partly so that if
their server does crash, I can help them pinpoint the problem test.
Pen-testing sometimes breaks things....better to have me break it than
their competition...I'll help 'em get it fixed.  Another reason for
keeping detailed logs is 'cuz in 2 months, I may want to test something
else and re-run a similar test.  Some guys remember every command-line
and combination for every test they run....me, I can't even remember
which box it's on, or what directory it's located it;).  Another reason,
the client may want a follow-up test after they've fixed the problem.

Attack IP - nope, I never tell them.  I do ask them to contact me
(actually, it's usually the sales guy as an intermediary) before they
spend too much time tracking me down, getting me arrested, etc.  I
include in my report when they contacted me.  I also include if they
never contact me (normally they never notice it).  If I suspected that I
was being blocked, I'd try to work around that.  I'd use a dialup
connection, go over to my mom's, anything.  If they're proactively
blocking me, I would figure out what it took to get a block, document it
and see if I could get their DNS servers, external web site and root DNS
servers blocked....at least to a degree.  I do not try to take my
clients out of business unless they specifically ask for a heavy DOS
test and most do not.

I also do testing at all kinds of goofy times.  If they try to take
boxes down to avoid testing....well, have fun;)

-----Original Message-----
From: Alfred Huger [mailto:ah () securityfocus com] 
Sent: Thursday, December 18, 2003 3:14 PM
To: pen-test () securityfocus com
Subject: How much do you disclose to customers?




I am posting this for a user who is having difficulty posting directly
to
the list. Please reply to the list.

-al


To: Joe P <joe_nasdaq () yahoo com>
Cc: pen-test () securityfocus com
Subject: Re: How much do you disclose to customers?


On Tue, 16 Dec 2003, Joe P wrote:

> Hi everyone,
>
> I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be
using before starting pen tests?
> Cons for Telling:
> I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.
> Pros for Telling:
> 1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
> 2) Audit trail reasons - if you trip up an IDS while doing testing
they
can ignore those alarms.
> Also, how do testers handle multiple IP addresses?  Is there any
benefit
to doing it from multiple IP
addresses??
> How do testers distribute a test amongst multiple people?
>
> Lastly,  do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")
> thanks ahead of time,
> Joe

Alfred Huger
Symantec Corp.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------