Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How much do you disclose to customers?
From: "wirepair" <wirepair () roguemail net>
Date: Thu, 18 Dec 2003 16:41:32 -0800

We always tell the client which IP's we are coming from. Mainly because we *don't* want to get
our IP's blocked by an IPS or by an unwitting admin. If you do not trust the admins will allow
the test to go smoothly, you should probably contact their managers to see that your information
does not get distorted.

Or you can simply ask them whether or not they'd like to be given that information. Occasionally,
we are told by the managers to not tell the admins to see if they notice the attacks. Doing the tests
from multiple machines has its advantages, especially when given a class C or larger to split up the time.

In our company tests are usually split up with internal/external/pbx & modems ect. But occasionally
we all work on a project together. Logs are definitly important, one thing I wish automated scanners
did would log what plugin/exploit caused the fault/issue. If the issue was caused during a penetration
test you should contact the company immediately and explain what exactly you were testing at the time
and work with them in identifying what the exact nature of the problem was. Hope this helps,

On Thu, 18 Dec 2003 13:13:43 -0700 (MST)
 Alfred Huger <ah () securityfocus com> wrote:

I am posting this for a user who is having difficulty posting directly to
the list. Please reply to the list.


To: Joe P <joe_nasdaq () yahoo com>
Cc: pen-test () securityfocus com
Subject: Re: How much do you disclose to customers?

On Tue, 16 Dec 2003, Joe P wrote:

Hi everyone,

I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be
using before starting pen tests?

Cons for Telling:
I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.

Pros for Telling:
1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.

Also, how do testers handle multiple IP addresses?  Is there any benefit
to doing it from multiple IP

How do testers distribute a test amongst multiple people?

Lastly,  do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")

thanks ahead of time,

Alfred Huger
Symantec Corp.


Visit Things From Another World for the best
comics, movies, toys, collectibles and more.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]