Re: How much do you disclose to customers?

From: Stephen de Vries (
Date: 12/21/03

  • Next message: Jerry Shenk: "RE: How much do you disclose to customers?"
    Date: Sun, 21 Dec 2003 02:29:25 -0500 (EST)
    To: "Alfred Huger" <>

    IMO it is good practice to keep a clear communication channel between
    testers and clients. Remember that the client has hired you to perform a
    vulnerability assessment or penetration test and you're really both
    working for the same side and unless there is a specific requirement to
    conduct tests stealthily, I think you should be very open about sharing

    To many clients the process of pentesting is something of a mystery - all
    they know is that there are some green haired tattoed teenagers (thanks
    NAI) on the other side of the firewall trying to hack their site and the
    only real result of the pentest is the report they receive after 5 days of
    "work". In my experience establishing an open communication channel with
    the client gives them a degree of assurance that the work they've paid for
    is indeed valuabled to their business. The following could be considered,
    depending on the client and what they hope to achieve from the pentest:

    - A briefing with the admins, security manager and person who commissioned
    the work _before_ any testing begins to explain the methodology that will
    be followed, what sort of tests will be performed and how they can expect
    these tests to impact their systems and their network. Tests are often
    performed on live, mission critical systems and the client needs assurance
    that the testers are taking the necessary precautions to ensure that their
    systems stay up. Source IP addresses and the time of any DoS tests can be
    arranged during this meeting.

    - A daily conference call with relevant parties to summarize the tests
    performed that day and also to discuss any significant findings.

    - At the end of the test, the client receives the final report. It may be
    useful at this stage to arrange a presentation of the report to the
    business owners. This can be an important step in helping the client's
    security team gain managements backing for implementing recommended

    There's no need to harass sys-admins with every finding discovered, just
    be open about what you're doing and how it will affect their systems.



    > I am posting this for a user who is having difficulty posting directly to
    > the list. Please reply to the list.
    > -al
    > To: Joe P <>
    > Cc:
    > Subject: Re: How much do you disclose to customers?
    > On Tue, 16 Dec 2003, Joe P wrote:
    >> Hi everyone,
    >> I have a question on customer disclosure. Is it wise to tell the
    > customer which IP addresses you'll be
    > using before starting pen tests?
    >> Cons for Telling:
    >> I was thinking that if you did tell them you may get an over zealous,
    > insecure admin that just sets up a
    > filter to block you out to make him/herself look good.
    >> Pros for Telling:
    >> 1) if you don't tell them your IP address they may think your doing
    > testing when in actuallity it's someone
    > else (ie: a true cracker trying to break in).
    >> 2) Audit trail reasons - if you trip up an IDS while doing testing they
    > can ignore those alarms.
    >> Also, how do testers handle multiple IP addresses? Is there any benefit
    > to doing it from multiple IP
    > addresses??
    >> How do testers distribute a test amongst multiple people?
    >> Lastly, do you keep logs of tests performed just to cover yourself?
    > (Ie: "Our server crashed on Saturday,
    > it must have been something you did!!"")
    >> thanks ahead of time,
    >> Joe
    > Alfred Huger
    > Symantec Corp.
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------


  • Next message: Jerry Shenk: "RE: How much do you disclose to customers?"