Re: How much do you disclose to customers?

From: H Carvey (keydet89@yahoo.com)
Date: Fri Dec 19 2003 - 10:37:03 EST

Next message: fergus: "Re: How much do you disclose to customers?"
Previous message: Meritt James: "Re: How much do you disclose to customers?"
Maybe in reply to: Alfred Huger: "How much do you disclose to customers?"
Next in thread: Clint Bodungen: "Re: How much do you disclose to customers?"
Reply: Clint Bodungen: "Re: How much do you disclose to customers?"
Reply: Frank Knobbe: "Re: How much do you disclose to customers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.58.0312181312530.21066@mail.securityfocus.com>

>> I have a question on customer disclosure. Is it wise to tell the
>customer which IP addresses you'll be
>using before starting pen tests?

The way I've seen this handled is through the contract. Basically, what you do is obtain a "cut out"...someone higher up in the company such as an IT Manager or VP. Ideally, this would be the person to whom all intrusion attempts are reported. That way, he knows what's going on and whether or not the LEOs need to be alerted.

I understand your concern about overzealous, insecure admins. I've seen such posts to the lists, too. However, look at it this way...if the admin does this, and does so against the orders of the IT Manager/VP, then you've identified at least one security risk already, haven't you?

>> Also, how do testers handle multiple IP addresses? Is there any benefit
>to doing it from multiple IP
>addresses??

Simply include it in the contract.

>> How do testers distribute a test amongst multiple people?

It depends on how you're organized, the amount of time you have, and the skills of your staff. Some folks may go after low-hanging fruit such as web or ftp servers, while others may be tasked with continual network mapping.

>> Lastly, do you keep logs of tests performed just to cover yourself?
>(Ie: "Our server crashed on Saturday,
>it must have been something you did!!"")

Not just logs...detailed documentation. Believe me, it helps. I remember going on-site for a VA once, and while we were still in w/ the IT Manager, an admin came in and informed him that the "scanning the security guys were doing had crashed a couple of servers". We were all standing their with out laptops still in our bags. Our "CYA" was the manager in that case.

However, the contract should also include a hold-harmless statement...something to the effect that the testers will take all reasonable precautions to ensure that something is not crashed, but things do happen. Also, give your client the opportunity to designate systems that will not be involved in the pen test, and may be subject to a thorough VA at a later date.

Hope that helps,

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: fergus: "Re: How much do you disclose to customers?"
Previous message: Meritt James: "Re: How much do you disclose to customers?"
Maybe in reply to: Alfred Huger: "How much do you disclose to customers?"
Next in thread: Clint Bodungen: "Re: How much do you disclose to customers?"
Reply: Clint Bodungen: "Re: How much do you disclose to customers?"
Reply: Frank Knobbe: "Re: How much do you disclose to customers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT