Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How much do you disclose to customers?
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Fri, 19 Dec 2003 17:04:45 -0600

Lastly,  do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")

Not just logs...detailed documentation.  Believe me, it helps.  I remember
going on-site for a VA once, and while we were still in w/ the IT Manager,
an admin came in and informed him that the "scanning the security guys were
doing had crashed a couple of servers".  We were all standing their with out
laptops still in our bags.  Our "CYA" was the manager in that case.

However, the contract should also include a hold-harmless
statement...something to the effect that the testers will take all
reasonable precautions to ensure that something is not crashed, but things
do happen.  Also, give your client the opportunity to designate systems that
will not be involved in the pen test, and may be subject to a thorough VA at
a later date.

Hope that helps,


I've done pen-tests where only the top brass new about it and where the
whole IT dept. New about it.  You have to be flexible to the client's needs.
There are advantages of each under certain circumstances and I think this
thread has already demonstrated most of the pros and cons of each.

I'm submitting my reply because of the posters last concern... and this may
even be a whole other discussion (I'll let the moderators decide).  I've
found that this "point the finger at the security guys" is the most common
scenario.  Harlan is right.  Almost every single pen-test I've done
something goes wrong somewhere in the organization's systems (even if we're
NOT the ones breaking it) and everybody is very quick to blame the
pen-testers or the "security guys" or the consultants, etc.  Now that IT
security has become almost a household term even to the clueless, our
liability risks have increased.  Let's face it... it's almost an
occupational hazard.

I've come across an issue once where we were just starting our test on the
"low hanging fruit" at the web front-end when something on the internal LAN
went down.  We had detailed documentation and logs of our activities proving
that we weren't testing anything even remotely related to the system that
went down.  Furthermore, due to the nature of the testing and what had
happened to the other system, it was actually infeasable that we COULD have
caused it.  However, the SVP of IT wouldn't believe us nor our
documentation.  He put our tests on hold until he found the root cause of
the problem.  Ok understandable.  Eventually, the IT guys were able to find
the issue through their own logs and we were off the hook but not before
this guy was starting to threaten lawsuit.  I know this is probably a rare
case but it still happens...and it only takes one person high enough at the
top who is unreasonable and irrational... and one misplaced log or detail
and it can end a career.  Has anyone else dealt with a situation like this
or maybe even gone to court over it?  Is a contractual disclaimer always
going to be enough?  We've all seen how the suits and lawyers mangle IT
Security and most technological issues in general.  Chances are the judge
and the jury aren't going to be very technical.  So, if you do get taken to
court can you rely on technical evidence if a contractual disclaimer didn't


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]