How much do you disclose to customers?
From: Alfred Huger (ah_at_securityfocus.com)
Date: 12/18/03
- Previous message: Alex Zimin: "RE: Inprotect software announcement."
- Next in thread: wirepair: "Re: How much do you disclose to customers?"
- Reply: wirepair: "Re: How much do you disclose to customers?"
- Reply: Martin Mačok: "Re: How much do you disclose to customers?"
- Reply: Stephen de Vries: "Re: How much do you disclose to customers?"
- Reply: Jerry Shenk: "RE: How much do you disclose to customers?"
- Reply: Meritt James: "Re: How much do you disclose to customers?"
- Maybe reply: H Carvey: "Re: How much do you disclose to customers?"
- Reply: fergus: "Re: How much do you disclose to customers?"
- Maybe reply: Brewis, Mark: "RE: How much do you disclose to customers?"
- Reply: goat: "Re: How much do you disclose to customers?"
- Maybe reply: Whiteside, Larry [contractor]: "RE: How much do you disclose to customers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Dec 2003 13:13:43 -0700 (MST) To: pen-test@securityfocus.com
I am posting this for a user who is having difficulty posting directly to
the list. Please reply to the list.
-al
To: Joe P <joe_nasdaq@yahoo.com>
Cc: pen-test@securityfocus.com
Subject: Re: How much do you disclose to customers?
On Tue, 16 Dec 2003, Joe P wrote:
> Hi everyone,
>
> I have a question on customer disclosure. Is it wise to tell the
customer which IP addresses you'll be
using before starting pen tests?
>
> Cons for Telling:
> I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.
>
> Pros for Telling:
> 1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
> 2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.
>
> Also, how do testers handle multiple IP addresses? Is there any benefit
to doing it from multiple IP
addresses??
>
> How do testers distribute a test amongst multiple people?
>
> Lastly, do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")
>
> thanks ahead of time,
> Joe
>
>
>
Alfred Huger
Symantec Corp.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Alex Zimin: "RE: Inprotect software announcement."
- Next in thread: wirepair: "Re: How much do you disclose to customers?"
- Reply: wirepair: "Re: How much do you disclose to customers?"
- Reply: Martin Mačok: "Re: How much do you disclose to customers?"
- Reply: Stephen de Vries: "Re: How much do you disclose to customers?"
- Reply: Jerry Shenk: "RE: How much do you disclose to customers?"
- Reply: Meritt James: "Re: How much do you disclose to customers?"
- Maybe reply: H Carvey: "Re: How much do you disclose to customers?"
- Reply: fergus: "Re: How much do you disclose to customers?"
- Maybe reply: Brewis, Mark: "RE: How much do you disclose to customers?"
- Reply: goat: "Re: How much do you disclose to customers?"
- Maybe reply: Whiteside, Larry [contractor]: "RE: How much do you disclose to customers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
