Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: How much do you disclose to customers?
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 19 Dec 2003 22:51:00 -0600

On Fri, 2003-12-19 at 09:37, H Carvey wrote:
I have a question on customer disclosure.  Is it wise to tell the
customer  which IP addresses you'll be
using before starting pen tests?

The way I've seen this handled is through the contract. 

That's one way. Typically though you have a standard contract. It is
absolutely fine to just supply the address casually in a memo or email.
(Or not at all if their admins and response team are to be pentested :)

How do testers distribute a test amongst multiple people?

It depends on how you're organized, the amount of time you have, and
the skills of your staff.  Some folks may go after low-hanging fruit
such as web or ftp servers, while others may be tasked with continual
network mapping.

Yeah, depends would also be my answer of choice. Although I've been
doing pentests for a long time now, I still enjoy and actually prefer
working in a tag-team setup. Being paired with an equal pentester
provides a team where one can play off the accomplishments of the other.
One might find something that the other can take further. After all, two
brains think better than one (or something like that). It's not so much
an enjoyable competition between the testers (who can break in faster),
but an enjoyable.... well... tag-team (who can first exploit the hole
that the peer found, providing the peer with more info). Being in
constant communication (encrypted IM) is very helpful. In addition, you
almost always have specialties, and using a team, one can a) learn new
tricks from the other, and b) complement the skill set of the other so
that the goal can be achieved faster. No one knows it all. Everyone of
use is always learning something new. That's the beauty of the field
we're in. :)

Regards,
Frank


PS: Greetings to Stephen! ;)

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]