Penetration Testing mailing list archives

Re: How much do you disclose to customers?

From: H Carvey <keydet89 () yahoo com>
Date: 19 Dec 2003 15:37:03 -0000

In-Reply-To: <Pine.LNX.4.58.0312181312530.21066 () mail securityfocus com>

I have a question on customer disclosure.  Is it wise to tell the

customer  which IP addresses you'll be
using before starting pen tests?


The way I've seen this handled is through the contract.  Basically, what you do is obtain a "cut out"...someone higher 
up in the company such as an IT Manager or VP.  Ideally, this would be the person to whom all intrusion attempts are 
reported.  That way, he knows what's going on and whether or not the LEOs need to be alerted.

I understand your concern about overzealous, insecure admins.  I've seen such posts to the lists, too.  However, look 
at it this way...if the admin does this, and does so against the orders of the IT Manager/VP, then you've identified at 
least one security risk already, haven't you?

Also, how do testers handle multiple IP addresses?  Is there any benefit

to doing it from multiple IP
addresses??


Simply include it in the contract.

How do testers distribute a test amongst multiple people?


It depends on how you're organized, the amount of time you have, and the skills of your staff.  Some folks may go after 
low-hanging fruit such as web or ftp servers, while others may be tasked with continual network mapping.

Lastly,  do you keep logs of tests performed just to cover yourself?

(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")


Not just logs...detailed documentation.  Believe me, it helps.  I remember going on-site for a VA once, and while we 
were still in w/ the IT Manager, an admin came in and informed him that the "scanning the security guys were doing had 
crashed a couple of servers".  We were all standing their with out laptops still in our bags.  Our "CYA" was the 
manager in that case.

However, the contract should also include a hold-harmless statement...something to the effect that the testers will 
take all reasonable precautions to ensure that something is not crashed, but things do happen.  Also, give your client 
the opportunity to designate systems that will not be involved in the pen test, and may be subject to a thorough VA at 
a later date.

Hope that helps,

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: How much do you disclose to customers?, (continued)
- Re: How much do you disclose to customers? Stephen de Vries (Dec 19)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
  - Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
  - RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
  - Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
  - Re: How much do you disclose to customers? Frank Knobbe (Dec 20)
- RE: How much do you disclose to customers? Brewis, Mark (Dec 19)
- RE: How much do you disclose to customers? Whiteside, Larry [contractor] (Dec 20)