RE: How much do you disclose to customers?

["Whiteside, Larry [contractor]" <BAE14 () SPHQ SSP NAVY MIL>]

I think you should first perform the scan and see if they have procedures in place to detect and react to your 
attempts. Once they noticed it and blocked it then you could inform them of the other pertinent details (i.e. time 
scanning to be performed, IPs used [if different from initial test], etc...).

A lot of places forget that the procedures to react to an intrusion attempt are a key element to the entire process. Of 
course all of this should be spelled out in your contract and explained in detail up front to protect you and the 
client both.

my 2 cents

L

-----Original Message-----
From: wirepair [mailto:wirepair () roguemail net]
Sent: Thursday, December 18, 2003 7:42 PM
To: pen-test () securityfocus com
Subject: Re: How much do you disclose to customers?


We always tell the client which IP's we are coming from. Mainly because we *don't* want to get
our IP's blocked by an IPS or by an unwitting admin. If you do not trust the admins will allow
the test to go smoothly, you should probably contact their managers to see that your information
does not get distorted.

Or you can simply ask them whether or not they'd like to be given that information. Occasionally,
we are told by the managers to not tell the admins to see if they notice the attacks. Doing the tests
from multiple machines has its advantages, especially when given a class C or larger to split up the time.

In our company tests are usually split up with internal/external/pbx & modems ect. But occasionally
we all work on a project together. Logs are definitly important, one thing I wish automated scanners
did would log what plugin/exploit caused the fault/issue. If the issue was caused during a penetration
test you should contact the company immediately and explain what exactly you were testing at the time
and work with them in identifying what the exact nature of the problem was. 
Hope this helps,
-wire

On Thu, 18 Dec 2003 13:13:43 -0700 (MST)
  Alfred Huger <ah () securityfocus com> wrote:
> I am posting this for a user who is having difficulty posting directly to
> the list. Please reply to the list.
>
> -al
>
>
> To: Joe P <joe_nasdaq () yahoo com>
> Cc: pen-test () securityfocus com
> Subject: Re: How much do you disclose to customers?
>
>
> On Tue, 16 Dec 2003, Joe P wrote:
>
> > Hi everyone,
> >
> > I have a question on customer disclosure.  Is it wise to tell the
> customer  which IP addresses you'll be
> using before starting pen tests?
> > Cons for Telling:
> > I was thinking that if you did tell them you may get an over zealous,
> insecure admin that just sets up a
> filter to block you out to make him/herself look good.
> > Pros for Telling:
> > 1) if you don't tell them your IP address they may think your doing
> testing when in actuallity it's someone
> else (ie: a true cracker trying to break in).
> > 2) Audit trail reasons - if you trip up an IDS while doing testing they
> can ignore those alarms.
> > Also, how do testers handle multiple IP addresses?  Is there any benefit
> to doing it from multiple IP
> addresses??
> > How do testers distribute a test amongst multiple people?
> >
> > Lastly,  do you keep logs of tests performed just to cover yourself?
> (Ie: "Our server crashed on Saturday,
> it must have been something you did!!"")
> > thanks ahead of time,
> > Joe
>
> Alfred Huger
> Symantec Corp.
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------