From: Harry Hoffman (hhoffman@ip-solutions.net)
Date: Fri Dec 19 2003 - 13:49:26 EST
I disagree... The admins should definetely know about the pen-testing.
For example, sometimes politics at the top may keep the mgmt from alerting each
other as to what's going on, or perhaps trying to hide it from other mgmt in an
attempt to prove the network is insecure.
We had one such incident where a sec. team was hired to pen-test the network by
someone who only "owned" a segment of the network. Because this person didn't
know what they were doing the sec. team attacked the whole network causing huge
amounts of noise.
That threw us into a panic and since they were on our LAN we shut down their
ports. Then a big pissing match occurred because they wasted our time and got so
many of our security team in an uproar trying to find out what was happening.
Admin responses can be measured against real life threats such as worms/virii or
planned attack/response "games".
If you're worried that your admins only act under a microscope than that's
already a HR problem and should be dealt with as such.
Cheers,
Harry
Quoting Meritt James <meritt_james@bah.com>:
*> Sounds like things covered (or should be!) by the traditional "Get out
*> of Jail free card" you get signed BEFORE starting...
*>
*> My personal preference is that ONLY "the top" knows you are doing it -
*> I'm also evaluating responses to IDS alerts, ... and the sysops may act
*> differently if they knew they were being watched...
*>
*> Jim
*>
*> Alfred Huger wrote:
*> >
*> > I am posting this for a user who is having difficulty posting directly to
*> > the list. Please reply to the list.
*> >
*> > -al
*> >
*> > To: Joe P <joe_nasdaq@yahoo.com>
*> > Cc: pen-test@securityfocus.com
*> > Subject: Re: How much do you disclose to customers?
*> >
*> > On Tue, 16 Dec 2003, Joe P wrote:
*> >
*> > > Hi everyone,
*> > >
*> > > I have a question on customer disclosure. Is it wise to tell the
*> > customer which IP addresses you'll be
*> > using before starting pen tests?
*> > >
*> > > Cons for Telling:
*> > > I was thinking that if you did tell them you may get an over zealous,
*> > insecure admin that just sets up a
*> > filter to block you out to make him/herself look good.
*> > >
*> > > Pros for Telling:
*> > > 1) if you don't tell them your IP address they may think your doing
*> > testing when in actuallity it's someone
*> > else (ie: a true cracker trying to break in).
*> > > 2) Audit trail reasons - if you trip up an IDS while doing testing they
*> > can ignore those alarms.
*> > >
*> > > Also, how do testers handle multiple IP addresses? Is there any benefit
*> > to doing it from multiple IP
*> > addresses??
*> > >
*> > > How do testers distribute a test amongst multiple people?
*> > >
*> > > Lastly, do you keep logs of tests performed just to cover yourself?
*> > (Ie: "Our server crashed on Saturday,
*> > it must have been something you did!!"")
*> > >
*> > > thanks ahead of time,
*> > > Joe
*> > >
*> > >
*> > >
*> >
*> > Alfred Huger
*> > Symantec Corp.
*> >
*> >
*> ---------------------------------------------------------------------------
*> >
*> ----------------------------------------------------------------------------
*>
*> --
*> James W. Meritt CISSP, CISA
*> Booz | Allen | Hamilton
*> phone: (410) 684-6566
*>
*> ---------------------------------------------------------------------------
*> ----------------------------------------------------------------------------
*>
*>
-- Harry Hoffman hhoffman@ip-solutions.net #----------------------------------------------------------------# # Harry: version 4.0a # # Known bugs: # # 1) Verbal output may occur before data processing is complete. # # 2) Loudspeaker option may activate without being invoked. # # 3) Other bugs as reported # #----------------------------------------------------------------# ------------------------------------------------- This mail sent through IpSolutions: http://www.ip-solutions.net/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT