Penetration Testing mailing list archives
Re: How much do you disclose to customers?
From: H Carvey <keydet89 () yahoo com>
Date: 19 Dec 2003 15:37:03 -0000
In-Reply-To: <Pine.LNX.4.58.0312181312530.21066 () mail securityfocus com>
I have a question on customer disclosure. Is it wise to tell thecustomer which IP addresses you'll be using before starting pen tests?
The way I've seen this handled is through the contract. Basically, what you do is obtain a "cut out"...someone higher up in the company such as an IT Manager or VP. Ideally, this would be the person to whom all intrusion attempts are reported. That way, he knows what's going on and whether or not the LEOs need to be alerted. I understand your concern about overzealous, insecure admins. I've seen such posts to the lists, too. However, look at it this way...if the admin does this, and does so against the orders of the IT Manager/VP, then you've identified at least one security risk already, haven't you?
Also, how do testers handle multiple IP addresses? Is there any benefitto doing it from multiple IP addresses??
Simply include it in the contract.
How do testers distribute a test amongst multiple people?
It depends on how you're organized, the amount of time you have, and the skills of your staff. Some folks may go after low-hanging fruit such as web or ftp servers, while others may be tasked with continual network mapping.
Lastly, do you keep logs of tests performed just to cover yourself?(Ie: "Our server crashed on Saturday, it must have been something you did!!"")
Not just logs...detailed documentation. Believe me, it helps. I remember going on-site for a VA once, and while we were still in w/ the IT Manager, an admin came in and informed him that the "scanning the security guys were doing had crashed a couple of servers". We were all standing their with out laptops still in our bags. Our "CYA" was the manager in that case. However, the contract should also include a hold-harmless statement...something to the effect that the testers will take all reasonable precautions to ensure that something is not crashed, but things do happen. Also, give your client the opportunity to designate systems that will not be involved in the pen test, and may be subject to a thorough VA at a later date. Hope that helps, Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: How much do you disclose to customers?, (continued)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
- Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
- RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
- Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
- Re: How much do you disclose to customers? Frank Knobbe (Dec 20)
- RE: How much do you disclose to customers? Brewis, Mark (Dec 19)
- RE: How much do you disclose to customers? Whiteside, Larry [contractor] (Dec 20)