Home page logo

pen-test logo Penetration Testing mailing list archives

RE: How much do you disclose to customers?
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 18 Dec 2003 21:58:35 -0500

Before answering anything - my testing philosophy is that I'm trying to
help the client find and fix their problems.  I am normaly not in the
case where I'm trying to 'smack' somebody.  I'm normally working WITH IT
so I'm gonna answer the questions from that perspective.

Logging - I keep detailed logs.  I don't quite log every command but I
log all the major stuff.  Partly to cover myself and partly so that if
their server does crash, I can help them pinpoint the problem test.
Pen-testing sometimes breaks things....better to have me break it than
their competition...I'll help 'em get it fixed.  Another reason for
keeping detailed logs is 'cuz in 2 months, I may want to test something
else and re-run a similar test.  Some guys remember every command-line
and combination for every test they run....me, I can't even remember
which box it's on, or what directory it's located it;).  Another reason,
the client may want a follow-up test after they've fixed the problem.

Attack IP - nope, I never tell them.  I do ask them to contact me
(actually, it's usually the sales guy as an intermediary) before they
spend too much time tracking me down, getting me arrested, etc.  I
include in my report when they contacted me.  I also include if they
never contact me (normally they never notice it).  If I suspected that I
was being blocked, I'd try to work around that.  I'd use a dialup
connection, go over to my mom's, anything.  If they're proactively
blocking me, I would figure out what it took to get a block, document it
and see if I could get their DNS servers, external web site and root DNS
servers blocked....at least to a degree.  I do not try to take my
clients out of business unless they specifically ask for a heavy DOS
test and most do not.

I also do testing at all kinds of goofy times.  If they try to take
boxes down to avoid testing....well, have fun;)

-----Original Message-----
From: Alfred Huger [mailto:ah () securityfocus com] 
Sent: Thursday, December 18, 2003 3:14 PM
To: pen-test () securityfocus com
Subject: How much do you disclose to customers?

I am posting this for a user who is having difficulty posting directly
the list. Please reply to the list.


To: Joe P <joe_nasdaq () yahoo com>
Cc: pen-test () securityfocus com
Subject: Re: How much do you disclose to customers?

On Tue, 16 Dec 2003, Joe P wrote:

Hi everyone,

I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be
using before starting pen tests?

Cons for Telling:
I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.

Pros for Telling:
1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
2) Audit trail reasons - if you trip up an IDS while doing testing
can ignore those alarms.

Also, how do testers handle multiple IP addresses?  Is there any
to doing it from multiple IP

How do testers distribute a test amongst multiple people?

Lastly,  do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")

thanks ahead of time,

Alfred Huger
Symantec Corp.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]