Re: How much do you disclose to customers?

From: Martin Mačok (martin.macok@underground.cz)
Date: Fri Dec 19 2003 - 05:09:51 EST

• Next message: Stephen de Vries: "Re: How much do you disclose to customers?"
• Previous message: Gary Everekyan: "RE: How much do you disclose to customers?"
• In reply to: Alfred Huger: "How much do you disclose to customers?"
• Next in thread: Stephen de Vries: "Re: How much do you disclose to customers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Thu, Dec 18, 2003 at 01:13:43PM -0700, Alfred Huger wrote:

> > I have a question on customer disclosure. Is it wise to tell the
> > customer which IP addresses you'll be using before starting pen
> > tests?

It depends. Sometimes management wants to test their security
including their network administrators (if they are capable of
detecting, preventing or proper acting on the attack). In this case,
network administrators do not know about the test so you don't tell
IPs to them. Management usually doesn't care about such technical
details like IP addresses... we just ask, if the addresses we will use
should be easily trackable to us (whois, reverse DNS etc.) or not.

You should resolve those issues before the test. Just tell them the
options ask them want they want. Sometimes they want you to tell the
IP and use *only* this IP for the test.

> > Cons for Telling: I was thinking that if you did tell them you may
> > get an over zealous, insecure admin that just sets up a filter to
> > block you out to make him/herself look good.

It would be strange if you can't reach their mailserver, webserver
etc. But yes, malicious admin could hide some problematic
services/nodes to you. But that's their problem, not yours.

> > Pros for Telling:
> > 1) if you don't tell them your IP address they may think your
> > doing testing when in actuallity it's someone else (ie: a true
> > cracker trying to break in).

That's their problem, not yours :-)

> > 2) Audit trail reasons - if you trip up an IDS while doing testing they
> > can ignore those alarms.

That depends. If they usually act on IDS alarm in some way, they
should act the same way even in this case. But if they want to test their
vulnerabilities like there is no IDS ...

> > Also, how do testers handle multiple IP addresses? Is there any
> > benefit to doing it from multiple IP addresses??

Yes. The attack could be made more hidden and they should have more
problems tracking your activities. Also, you sometimes loose
connection to the target and you should test if it is reachable from
different IP (so you are blocked) or if it is unreachable from all IPs
(so you probably crashed the device, and we usually call appropriate
person in this case).

> > Lastly, do you keep logs of tests performed just to cover yourself?

Of course! The harmonogram (including source IPs) is a part of the
final report.

-- 
         Martin Mačok                 http://underground.cz/
   martin.macok@underground.cz        http://Xtrmntr.org/ORBman/
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Stephen de Vries: "Re: How much do you disclose to customers?"
• Previous message: Gary Everekyan: "RE: How much do you disclose to customers?"
• In reply to: Alfred Huger: "How much do you disclose to customers?"
• Next in thread: Stephen de Vries: "Re: How much do you disclose to customers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT