From: Jerry Shenk (jshenk@decommunications.com)
Date: Thu Dec 18 2003 - 21:58:35 EST
Before answering anything - my testing philosophy is that I'm trying to
help the client find and fix their problems. I am normaly not in the
case where I'm trying to 'smack' somebody. I'm normally working WITH IT
so I'm gonna answer the questions from that perspective.
Logging - I keep detailed logs. I don't quite log every command but I
log all the major stuff. Partly to cover myself and partly so that if
their server does crash, I can help them pinpoint the problem test.
Pen-testing sometimes breaks things....better to have me break it than
their competition...I'll help 'em get it fixed. Another reason for
keeping detailed logs is 'cuz in 2 months, I may want to test something
else and re-run a similar test. Some guys remember every command-line
and combination for every test they run....me, I can't even remember
which box it's on, or what directory it's located it;). Another reason,
the client may want a follow-up test after they've fixed the problem.
Attack IP - nope, I never tell them. I do ask them to contact me
(actually, it's usually the sales guy as an intermediary) before they
spend too much time tracking me down, getting me arrested, etc. I
include in my report when they contacted me. I also include if they
never contact me (normally they never notice it). If I suspected that I
was being blocked, I'd try to work around that. I'd use a dialup
connection, go over to my mom's, anything. If they're proactively
blocking me, I would figure out what it took to get a block, document it
and see if I could get their DNS servers, external web site and root DNS
servers blocked....at least to a degree. I do not try to take my
clients out of business unless they specifically ask for a heavy DOS
test and most do not.
I also do testing at all kinds of goofy times. If they try to take
boxes down to avoid testing....well, have fun;)
-----Original Message-----
From: Alfred Huger [mailto:ah@securityfocus.com]
Sent: Thursday, December 18, 2003 3:14 PM
To: pen-test@securityfocus.com
Subject: How much do you disclose to customers?
I am posting this for a user who is having difficulty posting directly
to
the list. Please reply to the list.
-al
To: Joe P <joe_nasdaq@yahoo.com>
Cc: pen-test@securityfocus.com
Subject: Re: How much do you disclose to customers?
On Tue, 16 Dec 2003, Joe P wrote:
> Hi everyone,
>
> I have a question on customer disclosure. Is it wise to tell the
customer which IP addresses you'll be
using before starting pen tests?
>
> Cons for Telling:
> I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.
>
> Pros for Telling:
> 1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
> 2) Audit trail reasons - if you trip up an IDS while doing testing
they
can ignore those alarms.
>
> Also, how do testers handle multiple IP addresses? Is there any
benefit
to doing it from multiple IP
addresses??
>
> How do testers distribute a test amongst multiple people?
>
> Lastly, do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")
>
> thanks ahead of time,
> Joe
>
>
>
Alfred Huger
Symantec Corp.
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT