Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How much do you disclose to customers?
From: "Stephen de Vries" <stephen () twisteddelight org>
Date: Sun, 21 Dec 2003 02:29:25 -0500 (EST)

IMO it is good practice to keep a clear communication channel between
testers and clients.  Remember that the client has hired you to perform a
vulnerability assessment or penetration test and you're really both
working for the same side and unless there is a specific requirement to
conduct tests stealthily, I think you should be very open about sharing

To many clients the process of pentesting is something of a mystery - all
they know is that there are some green haired tattoed teenagers (thanks
NAI) on the other side of the firewall trying to hack their site and the
only real result of the pentest is the report they receive after 5 days of
"work".  In my experience establishing an open communication channel with
the client gives them a degree of assurance that the work they've paid for
is indeed valuabled to their business.  The following could be considered,
depending on the client and what they hope to achieve from the pentest:

- A briefing with the admins, security manager and person who commissioned
the work _before_ any testing begins to explain the methodology that will
be followed, what sort of tests will be performed and how they can expect
these tests to impact their systems and their network.  Tests are often
performed on live, mission critical systems and the client needs assurance
that the testers are taking the necessary precautions to ensure that their
systems stay up.  Source IP addresses and the time of any DoS tests can be
arranged during this meeting.

- A daily conference call with relevant parties to summarize the tests
performed that day and also to discuss any significant findings.

- At the end of the test, the client receives the final report.  It may be
useful at this stage to arrange a presentation of the report to the
business owners.  This can be an important step in helping the client's
security team gain managements backing for implementing recommended

There's no need to harass sys-admins with every finding discovered, just
be open about what you're doing and how it will affect their systems.



I am posting this for a user who is having difficulty posting directly to
the list. Please reply to the list.


To: Joe P <joe_nasdaq () yahoo com>
Cc: pen-test () securityfocus com
Subject: Re: How much do you disclose to customers?

On Tue, 16 Dec 2003, Joe P wrote:

Hi everyone,

I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be
using before starting pen tests?

Cons for Telling:
I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.

Pros for Telling:
1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.

Also, how do testers handle multiple IP addresses?  Is there any benefit
to doing it from multiple IP

How do testers distribute a test amongst multiple people?

Lastly,  do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")

thanks ahead of time,

Alfred Huger
Symantec Corp.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]