Penetration Testing mailing list archives
Re: How much do you disclose to customers?
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Fri, 19 Dec 2003 17:04:45 -0600
Lastly, do you keep logs of tests performed just to cover yourself?(Ie: "Our server crashed on Saturday, it must have been something you did!!"")Not just logs...detailed documentation. Believe me, it helps. I remember
going on-site for a VA once, and while we were still in w/ the IT Manager, an admin came in and informed him that the "scanning the security guys were doing had crashed a couple of servers". We were all standing their with out laptops still in our bags. Our "CYA" was the manager in that case.
However, the contract should also include a hold-harmless
statement...something to the effect that the testers will take all reasonable precautions to ensure that something is not crashed, but things do happen. Also, give your client the opportunity to designate systems that will not be involved in the pen test, and may be subject to a thorough VA at a later date.
Hope that helps, Harlan
I've done pen-tests where only the top brass new about it and where the whole IT dept. New about it. You have to be flexible to the client's needs. There are advantages of each under certain circumstances and I think this thread has already demonstrated most of the pros and cons of each. I'm submitting my reply because of the posters last concern... and this may even be a whole other discussion (I'll let the moderators decide). I've found that this "point the finger at the security guys" is the most common scenario. Harlan is right. Almost every single pen-test I've done something goes wrong somewhere in the organization's systems (even if we're NOT the ones breaking it) and everybody is very quick to blame the pen-testers or the "security guys" or the consultants, etc. Now that IT security has become almost a household term even to the clueless, our liability risks have increased. Let's face it... it's almost an occupational hazard. I've come across an issue once where we were just starting our test on the "low hanging fruit" at the web front-end when something on the internal LAN went down. We had detailed documentation and logs of our activities proving that we weren't testing anything even remotely related to the system that went down. Furthermore, due to the nature of the testing and what had happened to the other system, it was actually infeasable that we COULD have caused it. However, the SVP of IT wouldn't believe us nor our documentation. He put our tests on hold until he found the root cause of the problem. Ok understandable. Eventually, the IT guys were able to find the issue through their own logs and we were off the hook but not before this guy was starting to threaten lawsuit. I know this is probably a rare case but it still happens...and it only takes one person high enough at the top who is unreasonable and irrational... and one misplaced log or detail and it can end a career. Has anyone else dealt with a situation like this or maybe even gone to court over it? Is a contractual disclaimer always going to be enough? We've all seen how the suits and lawyers mangle IT Security and most technological issues in general. Chances are the judge and the jury aren't going to be very technical. So, if you do get taken to court can you rely on technical evidence if a contractual disclaimer didn't work? --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: How much do you disclose to customers?, (continued)
- RE: How much do you disclose to customers? Jerry Shenk (Dec 19)
- Re: How much do you disclose to customers? Meritt James (Dec 19)
- Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
- RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
- Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
- Re: How much do you disclose to customers? Frank Knobbe (Dec 20)
- RE: How much do you disclose to customers? Brewis, Mark (Dec 19)
- RE: How much do you disclose to customers? Whiteside, Larry [contractor] (Dec 20)