From: Michal Zalewski (lcamtuf@coredump.cx)
Date: Fri Dec 19 2003 - 13:35:01 EST
On Fri, 19 Dec 2003, Kinnane, Scott wrote:
> I'd explain to the customer that in a real security attack, you don't
> know the source of the attack when it starts, so you need to simulate as
> real a situation as possible. The logs would come in handy as you could
> offer that as proof of what was coming from you.
It only makes sense if you already know an attack vector, and want to test
response procedures and incident awareness.
In all other cases (meaning, a typical pen-test), it is wise to tell the
customer, simply because you do NOT want them to initiate a response,
immediately bring systems down if there is a suspicion one of the attacks
might have succeeded, etc (let alone contacting your ISP). But more
importantly, you want them to be prepared for eventual consequences, for
example a downtime resulting of an intentional (or accidental) DoS-type
test.
I do not think, however, that it is wise to mix both response analysis and
vulnerability assessment, or that it is feasible to do so without
compromising the completeness of the pen-test itself.
My $.02, I suppose there would be just as many views as posters in the
thread.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2003-12-19 19:30 --
http://lcamtuf.coredump.cx/photo/current/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT