Re: How much do you disclose to customers?

From: H Carvey (
Date: 12/19/03

  • Next message: fergus: "Re: How much do you disclose to customers?"
    Date: 19 Dec 2003 15:37:03 -0000
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <>

    >> I have a question on customer disclosure. Is it wise to tell the
    >customer which IP addresses you'll be
    >using before starting pen tests?

    The way I've seen this handled is through the contract. Basically, what you do is obtain a "cut out"...someone higher up in the company such as an IT Manager or VP. Ideally, this would be the person to whom all intrusion attempts are reported. That way, he knows what's going on and whether or not the LEOs need to be alerted.

    I understand your concern about overzealous, insecure admins. I've seen such posts to the lists, too. However, look at it this way...if the admin does this, and does so against the orders of the IT Manager/VP, then you've identified at least one security risk already, haven't you?

    >> Also, how do testers handle multiple IP addresses? Is there any benefit
    >to doing it from multiple IP

    Simply include it in the contract.

    >> How do testers distribute a test amongst multiple people?

    It depends on how you're organized, the amount of time you have, and the skills of your staff. Some folks may go after low-hanging fruit such as web or ftp servers, while others may be tasked with continual network mapping.

    >> Lastly, do you keep logs of tests performed just to cover yourself?
    >(Ie: "Our server crashed on Saturday,
    >it must have been something you did!!"")

    Not just logs...detailed documentation. Believe me, it helps. I remember going on-site for a VA once, and while we were still in w/ the IT Manager, an admin came in and informed him that the "scanning the security guys were doing had crashed a couple of servers". We were all standing their with out laptops still in our bags. Our "CYA" was the manager in that case.

    However, the contract should also include a hold-harmless statement...something to the effect that the testers will take all reasonable precautions to ensure that something is not crashed, but things do happen. Also, give your client the opportunity to designate systems that will not be involved in the pen test, and may be subject to a thorough VA at a later date.

    Hope that helps,



  • Next message: fergus: "Re: How much do you disclose to customers?"

    Relevant Pages

    • RE: How much do you disclose to customers?
      ... On Tue, 16 Dec 2003, Joe P wrote: ... customer which IP addresses you'll be ... using before starting pen tests? ... But, in general, multiple IP gives you flexibility and are often essential. ...
    • Re: Please help with a serious issue
      ... User 1 selects customer 1. ... The credit card table is filtered to that account ... What i basically need to know is how to allow multiple users to use the same ... Customer Shipping - Holds all possible shipping addresses for each client. ...
    • Re: GIMUNZIP failure
      ... Many shops have multiple ... You can even order multiple java versions with ServerPac. ... the customer could be supporting multiple ...
    • Re: Outlook opens all attachments.
      ... > in fax viewer opens the pic from my temporary internet files. ... > we asked the customer to delete the temp folder and open one pic (the ... Maybe they are receiving in a TIF format that permits multiple images ... If one file format can permit multiple pages per file then I would ...
    • RE: How much do you disclose to customers?
      ... our IP's blocked by an IPS or by an unwitting admin. ... from multiple machines has its advantages, especially when given a class C or larger to split up the time. ... Logs are definitly important, one thing I wish automated scanners ... >> I have a question on customer disclosure. ...