RE: How much do you disclose to customers?

From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 12/19/03

  • Next message: Meritt James: "Re: How much do you disclose to customers?" 
    To: <pen-test@securityfocus.com>
Date: Thu, 18 Dec 2003 21:58:35 -0500

    Before answering anything - my testing philosophy is that I'm trying to
    help the client find and fix their problems. I am normaly not in the
    case where I'm trying to 'smack' somebody. I'm normally working WITH IT
    so I'm gonna answer the questions from that perspective.

    Logging - I keep detailed logs. I don't quite log every command but I
    log all the major stuff. Partly to cover myself and partly so that if
    their server does crash, I can help them pinpoint the problem test.
    Pen-testing sometimes breaks things....better to have me break it than
    their competition...I'll help 'em get it fixed. Another reason for
    keeping detailed logs is 'cuz in 2 months, I may want to test something
    else and re-run a similar test. Some guys remember every command-line
    and combination for every test they run....me, I can't even remember
    which box it's on, or what directory it's located it;). Another reason,
    the client may want a follow-up test after they've fixed the problem.

    Attack IP - nope, I never tell them. I do ask them to contact me
    (actually, it's usually the sales guy as an intermediary) before they
    spend too much time tracking me down, getting me arrested, etc. I
    include in my report when they contacted me. I also include if they
    never contact me (normally they never notice it). If I suspected that I
    was being blocked, I'd try to work around that. I'd use a dialup
    connection, go over to my mom's, anything. If they're proactively
    blocking me, I would figure out what it took to get a block, document it
    and see if I could get their DNS servers, external web site and root DNS
    servers blocked....at least to a degree. I do not try to take my
    clients out of business unless they specifically ask for a heavy DOS
    test and most do not.

    I also do testing at all kinds of goofy times. If they try to take
    boxes down to avoid testing....well, have fun;)

    -----Original Message-----
    From: Alfred Huger [mailto:ah@securityfocus.com]
    Sent: Thursday, December 18, 2003 3:14 PM
    To: pen-test@securityfocus.com
    Subject: How much do you disclose to customers?

    I am posting this for a user who is having difficulty posting directly
    to
    the list. Please reply to the list.

    -al

    To: Joe P <joe_nasdaq@yahoo.com>
    Cc: pen-test@securityfocus.com
    Subject: Re: How much do you disclose to customers?

    On Tue, 16 Dec 2003, Joe P wrote:

    > Hi everyone,
    >
    > I have a question on customer disclosure. Is it wise to tell the
    customer which IP addresses you'll be
    using before starting pen tests?
    >
    > Cons for Telling:
    > I was thinking that if you did tell them you may get an over zealous,
    insecure admin that just sets up a
    filter to block you out to make him/herself look good.
    >
    > Pros for Telling:
    > 1) if you don't tell them your IP address they may think your doing
    testing when in actuallity it's someone
    else (ie: a true cracker trying to break in).
    > 2) Audit trail reasons - if you trip up an IDS while doing testing
    they
    can ignore those alarms.
    >
    > Also, how do testers handle multiple IP addresses? Is there any
    benefit
    to doing it from multiple IP
    addresses??
    >
    > How do testers distribute a test amongst multiple people?
    >
    > Lastly, do you keep logs of tests performed just to cover yourself?
    (Ie: "Our server crashed on Saturday,
    it must have been something you did!!"")
    >
    > thanks ahead of time,
    > Joe
    >
    >
    >

    Alfred Huger
    Symantec Corp.

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Meritt James: "Re: How much do you disclose to customers?"

    Relevant Pages

    • Re: Remobjects v KBM
      ... >> client query components) follow from that. ... Then, connections can be created to say SQL Server, Oracle, Interbase and ... can then be created from the abstract dataset definition in 'customers' to ... implicitly - this makes your code not be database connection specific). ...
      (borland.public.delphi.thirdpartytools.general)
    • Re: DHCP Problem
      ... Unable to contact a DHCP server. ... The client computer's logs are a mess due to not being able to renew ip ... Denied Connections started showing up in the ISA logs seconds ...
      (microsoft.public.backoffice.smallbiz)
    • Re: outlook on server
      ... I make sure my customers understand up front that they are not ... using the server as a workstation is simply out of the question. ... > I have a client I've had for years now who wouldn't do any maintenance. ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN Error 733, Event Log Error 20050 with SBS 2003
      ... Is there anyone from Microsoft who has the tools to decypher the logs I ... client to the server, but not the other way around. ... as far as I'm aware you can't reinstall RRAS (I think you could ...
      (microsoft.public.windows.server.sbs)
    • Re: RTC Remote Tools 2.0
      ... I use your package for one purpose: to support my customers using my ... I do not resale the package or any derived source code. ... Release the server only as an executable file. ... I could never get the old chat client to work correctly. ...
      (borland.public.delphi.thirdpartytools.general)