How much do you disclose to customers?

From: Alfred Huger (ah_at_securityfocus.com)
Date: 12/18/03

  • Next message: wirepair: "Re: How much do you disclose to customers?"
    Date: Thu, 18 Dec 2003 13:13:43 -0700 (MST)
    To: pen-test@securityfocus.com
    
    

    I am posting this for a user who is having difficulty posting directly to
    the list. Please reply to the list.

    -al

    To: Joe P <joe_nasdaq@yahoo.com>
    Cc: pen-test@securityfocus.com
    Subject: Re: How much do you disclose to customers?

    On Tue, 16 Dec 2003, Joe P wrote:

    > Hi everyone,
    >
    > I have a question on customer disclosure. Is it wise to tell the
    customer which IP addresses you'll be
    using before starting pen tests?
    >
    > Cons for Telling:
    > I was thinking that if you did tell them you may get an over zealous,
    insecure admin that just sets up a
    filter to block you out to make him/herself look good.
    >
    > Pros for Telling:
    > 1) if you don't tell them your IP address they may think your doing
    testing when in actuallity it's someone
    else (ie: a true cracker trying to break in).
    > 2) Audit trail reasons - if you trip up an IDS while doing testing they
    can ignore those alarms.
    >
    > Also, how do testers handle multiple IP addresses? Is there any benefit
    to doing it from multiple IP
    addresses??
    >
    > How do testers distribute a test amongst multiple people?
    >
    > Lastly, do you keep logs of tests performed just to cover yourself?
    (Ie: "Our server crashed on Saturday,
    it must have been something you did!!"")
    >
    > thanks ahead of time,
    > Joe
    >
    >
    >

    Alfred Huger
    Symantec Corp.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: wirepair: "Re: How much do you disclose to customers?"

    Relevant Pages

    • Re: How much do you disclose to customers?
      ... i would suggest that you agree with management ... how do testers handle multiple IP addresses? ...
      (Pen-Test)
    • RE: How much do you disclose to customers?
      ... On Tue, 16 Dec 2003, Joe P wrote: ... customer which IP addresses you'll be ... using before starting pen tests? ... But, in general, multiple IP gives you flexibility and are often essential. ...
      (Pen-Test)
    • RE: How much do you disclose to customers?
      ... I'd explain to the customer that in a real security attack, ... how do testers handle multiple IP addresses? ...
      (Pen-Test)
    • Re: Please help with a serious issue
      ... User 1 selects customer 1. ... The credit card table is filtered to that account ... What i basically need to know is how to allow multiple users to use the same ... Customer Shipping - Holds all possible shipping addresses for each client. ...
      (borland.public.delphi.database.ado)
    • Re: Considering using Access
      ... Joe Fallon ... sounds like database you're proposing will be "mission-critical". ... > seems to be alot of work, but alot of work in not my problem... ... I am thinking each customer will be assigned a number, ...
      (microsoft.public.access.tablesdbdesign)