Penetration Testing mailing list archives

Re: Penetration Testing Scheduling

From: Anders Thulin <anders.thulin () sentor se>
Date: Tue, 29 Apr 2008 09:01:52 +0200

Yousif () Vapt-Sec com wrote:

I've heard a lot of folks say that telling your customers exactly when you will begin the testing is
not suitable, but I'm not sure as to why they that...

I see practically no reason for not telling your customer when the test is going to be held.
On the contrary, if a big incident response effort starts up because of your testing,
you need some way to short-circuit it before it goes too far -- and you can't really have the
customer call you every time they have an incident to check if it is you testing, especially
not outside your normal working hours (unless you happen to like that sort of thing, of course).

There may be excellent reasons why your immediate point of contact should not inform other
parts of his organization, though -- they may be concerned that vulnerable systems are 'hidden'
during the test. Also, if detection abilitiy and incident response behaviour is being tested,
there should be no prior notice -- to them. But someone needs to know, someone who can
defuse the thing if it seems to go too far, someone in the right position: 'inside the loop'.

If 'hidden systems' are a concern, there are ways of detecting them: do host detection sweeps
a week before and after the main test, as well as during it, and look for untested systems.
If this may be an issue, take it up during initial negociations -- should it be part of the job
to look for such signs?

Of course, if your customer asks you not to tell them, it's your call. But you may
want to check up on liability issues before agreeing to that.

--
Anders Thulin anders.thulin () sentor se 070-757 36 10 / Intl. +46 70 757 36 10

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Penetration Testing Scheduling Yousif (Apr 28)
- Re: Penetration Testing Scheduling Dotzero (Apr 29)
- Re: Penetration Testing Scheduling Robin Wood (Apr 29)
- Re: Penetration Testing Scheduling arvind doraiswamy (Apr 29)
  - Re: Penetration Testing Scheduling Sat Jagat Singh (Apr 30)
- Re: Penetration Testing Scheduling Anders Thulin (Apr 29)
- <Possible follow-ups>
- Re: Penetration Testing Scheduling Yousif (Apr 29)
  - Re: Penetration Testing Scheduling Joey Peloquin (Apr 30)
  - Re: Penetration Testing Scheduling Todd Haverkos (Apr 30)
- Re: Re: Penetration Testing Scheduling zenmasterbob123 (Apr 30)