Re: How much do you disclose to customers?

From: Martin Mačok (martin.macok_at_underground.cz)
Date: 12/19/03

  • Next message: Stephen de Vries: "Re: How much do you disclose to customers?" 
    Date: Fri, 19 Dec 2003 11:09:51 +0100
To: pen-test@securityfocus.com

    On Thu, Dec 18, 2003 at 01:13:43PM -0700, Alfred Huger wrote:

    > > I have a question on customer disclosure. Is it wise to tell the
    > > customer which IP addresses you'll be using before starting pen
    > > tests?

    It depends. Sometimes management wants to test their security
    including their network administrators (if they are capable of
    detecting, preventing or proper acting on the attack). In this case,
    network administrators do not know about the test so you don't tell
    IPs to them. Management usually doesn't care about such technical
    details like IP addresses... we just ask, if the addresses we will use
    should be easily trackable to us (whois, reverse DNS etc.) or not.

    You should resolve those issues before the test. Just tell them the
    options ask them want they want. Sometimes they want you to tell the
    IP and use *only* this IP for the test.

    > > Cons for Telling: I was thinking that if you did tell them you may
    > > get an over zealous, insecure admin that just sets up a filter to
    > > block you out to make him/herself look good.

    It would be strange if you can't reach their mailserver, webserver
    etc. But yes, malicious admin could hide some problematic
    services/nodes to you. But that's their problem, not yours.

    > > Pros for Telling:
    > > 1) if you don't tell them your IP address they may think your
    > > doing testing when in actuallity it's someone else (ie: a true
    > > cracker trying to break in).

    That's their problem, not yours :-)

    > > 2) Audit trail reasons - if you trip up an IDS while doing testing they
    > > can ignore those alarms.

    That depends. If they usually act on IDS alarm in some way, they
    should act the same way even in this case. But if they want to test their
    vulnerabilities like there is no IDS ...

    > > Also, how do testers handle multiple IP addresses? Is there any
    > > benefit to doing it from multiple IP addresses??

    Yes. The attack could be made more hidden and they should have more
    problems tracking your activities. Also, you sometimes loose
    connection to the target and you should test if it is reachable from
    different IP (so you are blocked) or if it is unreachable from all IPs
    (so you probably crashed the device, and we usually call appropriate
    person in this case).

    > > Lastly, do you keep logs of tests performed just to cover yourself?

    Of course! The harmonogram (including source IPs) is a part of the
    final report. 

    -- 
         Martin Mačok                 http://underground.cz/
   martin.ma***@underground.cz        http://Xtrmntr.org/ORBman/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Stephen de Vries: "Re: How much do you disclose to customers?"
    • Quantcast