Re: How much do you disclose to customers?

From: Meritt James (meritt_james_at_bah.com)
Date: 12/19/03

Next message: H Carvey: "Re: How much do you disclose to customers?"

Previous message: Jerry Shenk: "RE: How much do you disclose to customers?"
In reply to: Alfred Huger: "How much do you disclose to customers?"
Next in thread: Harry Hoffman: "Re: How much do you disclose to customers?"
Reply: Harry Hoffman: "Re: How much do you disclose to customers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 19 Dec 2003 09:19:09 -0500
To: pen-test@securityfocus.com

Sounds like things covered (or should be!) by the traditional "Get out
of Jail free card" you get signed BEFORE starting...

My personal preference is that ONLY "the top" knows you are doing it -
I'm also evaluating responses to IDS alerts, ... and the sysops may act
differently if they knew they were being watched...

Jim

Alfred Huger wrote:
>
> I am posting this for a user who is having difficulty posting directly to
> the list. Please reply to the list.
>
> -al
>
> To: Joe P <joe_nasdaq@yahoo.com>
> Cc: pen-test@securityfocus.com
> Subject: Re: How much do you disclose to customers?
>
> On Tue, 16 Dec 2003, Joe P wrote:
>
> > Hi everyone,
> >
> > I have a question on customer disclosure. Is it wise to tell the
> customer which IP addresses you'll be
> using before starting pen tests?
> >
> > Cons for Telling:
> > I was thinking that if you did tell them you may get an over zealous,
> insecure admin that just sets up a
> filter to block you out to make him/herself look good.
> >
> > Pros for Telling:
> > 1) if you don't tell them your IP address they may think your doing
> testing when in actuallity it's someone
> else (ie: a true cracker trying to break in).
> > 2) Audit trail reasons - if you trip up an IDS while doing testing they
> can ignore those alarms.
> >
> > Also, how do testers handle multiple IP addresses? Is there any benefit
> to doing it from multiple IP
> addresses??
> >
> > How do testers distribute a test amongst multiple people?
> >
> > Lastly, do you keep logs of tests performed just to cover yourself?
> (Ie: "Our server crashed on Saturday,
> it must have been something you did!!"")
> >
> > thanks ahead of time,
> > Joe
> >
> >
> >
>
> Alfred Huger
> Symantec Corp.
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566
---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: H Carvey: "Re: How much do you disclose to customers?"

Previous message: Jerry Shenk: "RE: How much do you disclose to customers?"
In reply to: Alfred Huger: "How much do you disclose to customers?"
Next in thread: Harry Hoffman: "Re: How much do you disclose to customers?"
Reply: Harry Hoffman: "Re: How much do you disclose to customers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]