Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How much do you disclose to customers?
From: fergus <fergus () cobbled net>
Date: Fri, 19 Dec 2003 14:39:42 +0000


i would suggest that you agree with management
which addresses you will probe from but ensure
that administators do not know.

they should follow normal response procedure
against the attack - however, resulting legal
action would be stopped by management as they
would know.


On 18.12-13:13, Alfred Huger wrote:

I am posting this for a user who is having difficulty posting directly to
the list. Please reply to the list.


To: Joe P <joe_nasdaq () yahoo com>
Cc: pen-test () securityfocus com
Subject: Re: How much do you disclose to customers?

On Tue, 16 Dec 2003, Joe P wrote:

Hi everyone,

I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be
using before starting pen tests?

Cons for Telling:
I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.

Pros for Telling:
1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.

Also, how do testers handle multiple IP addresses?  Is there any benefit
to doing it from multiple IP

How do testers distribute a test amongst multiple people?

Lastly,  do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")

thanks ahead of time,

Alfred Huger
Symantec Corp.


: fergus cameron                :   [ .]        cobbled    :
: ^^^^^^ () cobbled net            : [ ~][ ]             .net :


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]