RE: How much do you disclose to customers?

From: Kinnane, Scott (Scott.Kinnane@ISATechnologies.com)
Date: Thu Dec 18 2003 - 22:39:20 EST

• Next message: Gary Everekyan: "RE: How much do you disclose to customers?"
• Previous message: Teicher, Mark (Mark): "RE: How much do you disclose to customers?"
• Maybe in reply to: Teicher, Mark (Mark): "RE: How much do you disclose to customers?"
• Next in thread: Michal Zalewski: "RE: How much do you disclose to customers?"
• Reply: Michal Zalewski: "RE: How much do you disclose to customers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'd explain to the customer that in a real security attack, you don't
know the source of the attack when it starts, so you need to simulate as
real a situation as possible. The logs would come in handy as you could
offer that as proof of what was coming from you.

At least if they (including technical staff) know a time when you are
doing the test, they can be prepared for consequences and as you say,
ignore your attempts. I know this contradicts my previous point, but
hey...

Put it this way: if I were the customer, I'd rather know that my
security measures are so thoroughly tested by your tests that they are
as bullet proof as possible.

scott

> -----Original Message-----
> From: Alfred Huger [mailto:ah@securityfocus.com]
> Sent: Friday, 19 December 2003 4:14 AM
> To: pen-test@securityfocus.com
> Subject: How much do you disclose to customers?
>
>
>
>
> I am posting this for a user who is having difficulty posting
> directly to the list. Please reply to the list.
>
> -al
>
>
> To: Joe P <joe_nasdaq@yahoo.com>
> Cc: pen-test@securityfocus.com
> Subject: Re: How much do you disclose to customers?
>
>
> On Tue, 16 Dec 2003, Joe P wrote:
>
> > Hi everyone,
> >
> > I have a question on customer disclosure. Is it wise to tell the
> customer which IP addresses you'll be
> using before starting pen tests?
> >
> > Cons for Telling:
> > I was thinking that if you did tell them you may get an
> over zealous,
> insecure admin that just sets up a
> filter to block you out to make him/herself look good.
> >
> > Pros for Telling:
> > 1) if you don't tell them your IP address they may think your doing
> testing when in actuallity it's someone
> else (ie: a true cracker trying to break in).
> > 2) Audit trail reasons - if you trip up an IDS while doing testing
> > they
> can ignore those alarms.
> >
> > Also, how do testers handle multiple IP addresses? Is there any
> > benefit
> to doing it from multiple IP
> addresses??
> >
> > How do testers distribute a test amongst multiple people?
> >
> > Lastly, do you keep logs of tests performed just to cover yourself?
> (Ie: "Our server crashed on Saturday,
> it must have been something you did!!"")
> >
> > thanks ahead of time,
> > Joe
> >
> >
> >
>
> Alfred Huger
> Symantec Corp.
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Gary Everekyan: "RE: How much do you disclose to customers?"
• Previous message: Teicher, Mark (Mark): "RE: How much do you disclose to customers?"
• Maybe in reply to: Teicher, Mark (Mark): "RE: How much do you disclose to customers?"
• Next in thread: Michal Zalewski: "RE: How much do you disclose to customers?"
• Reply: Michal Zalewski: "RE: How much do you disclose to customers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT