How much do you disclose to customers?

From: Alfred Huger (ah@securityfocus.com)
Date: Thu Dec 18 2003 - 15:13:43 EST


I am posting this for a user who is having difficulty posting directly to
the list. Please reply to the list.

-al

To: Joe P <joe_nasdaq@yahoo.com>
Cc: pen-test@securityfocus.com
Subject: Re: How much do you disclose to customers?

On Tue, 16 Dec 2003, Joe P wrote:

> Hi everyone,
>
> I have a question on customer disclosure. Is it wise to tell the
customer which IP addresses you'll be
using before starting pen tests?
>
> Cons for Telling:
> I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.
>
> Pros for Telling:
> 1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
> 2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.
>
> Also, how do testers handle multiple IP addresses? Is there any benefit
to doing it from multiple IP
addresses??
>
> How do testers distribute a test amongst multiple people?
>
> Lastly, do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")
>
> thanks ahead of time,
> Joe
>
>
>

Alfred Huger
Symantec Corp.

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT