Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How much do you disclose to customers?
From: H Carvey <keydet89 () yahoo com>
Date: 19 Dec 2003 15:37:03 -0000

In-Reply-To: <Pine.LNX.4.58.0312181312530.21066 () mail securityfocus com>

I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be
using before starting pen tests?

The way I've seen this handled is through the contract.  Basically, what you do is obtain a "cut out"...someone higher 
up in the company such as an IT Manager or VP.  Ideally, this would be the person to whom all intrusion attempts are 
reported.  That way, he knows what's going on and whether or not the LEOs need to be alerted.

I understand your concern about overzealous, insecure admins.  I've seen such posts to the lists, too.  However, look 
at it this way...if the admin does this, and does so against the orders of the IT Manager/VP, then you've identified at 
least one security risk already, haven't you?

Also, how do testers handle multiple IP addresses?  Is there any benefit
to doing it from multiple IP

Simply include it in the contract.

How do testers distribute a test amongst multiple people?

It depends on how you're organized, the amount of time you have, and the skills of your staff.  Some folks may go after 
low-hanging fruit such as web or ftp servers, while others may be tasked with continual network mapping.

Lastly,  do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")

Not just logs...detailed documentation.  Believe me, it helps.  I remember going on-site for a VA once, and while we 
were still in w/ the IT Manager, an admin came in and informed him that the "scanning the security guys were doing had 
crashed a couple of servers".  We were all standing their with out laptops still in our bags.  Our "CYA" was the 
manager in that case.

However, the contract should also include a hold-harmless statement...something to the effect that the testers will 
take all reasonable precautions to ensure that something is not crashed, but things do happen.  Also, give your client 
the opportunity to designate systems that will not be involved in the pen test, and may be subject to a thorough VA at 
a later date.

Hope that helps,



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]