Re: How much do you disclose to customers?
From: fergus (fergus_at_cobbled.net)
Date: 12/19/03
- Previous message: H Carvey: "Re: How much do you disclose to customers?"
- In reply to: Alfred Huger: "How much do you disclose to customers?"
- Next in thread: Brewis, Mark: "RE: How much do you disclose to customers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Dec 2003 14:39:42 +0000 To: pen-test@securityfocus.com
joe,
i would suggest that you agree with management
which addresses you will probe from but ensure
that administators do not know.
they should follow normal response procedure
against the attack - however, resulting legal
action would be stopped by management as they
would know.
fergus
On 18.12-13:13, Alfred Huger wrote:
>
>
> I am posting this for a user who is having difficulty posting directly to
> the list. Please reply to the list.
>
> -al
>
>
> To: Joe P <joe_nasdaq@yahoo.com>
> Cc: pen-test@securityfocus.com
> Subject: Re: How much do you disclose to customers?
>
>
> On Tue, 16 Dec 2003, Joe P wrote:
>
> > Hi everyone,
> >
> > I have a question on customer disclosure. Is it wise to tell the
> customer which IP addresses you'll be
> using before starting pen tests?
> >
> > Cons for Telling:
> > I was thinking that if you did tell them you may get an over zealous,
> insecure admin that just sets up a
> filter to block you out to make him/herself look good.
> >
> > Pros for Telling:
> > 1) if you don't tell them your IP address they may think your doing
> testing when in actuallity it's someone
> else (ie: a true cracker trying to break in).
> > 2) Audit trail reasons - if you trip up an IDS while doing testing they
> can ignore those alarms.
> >
> > Also, how do testers handle multiple IP addresses? Is there any benefit
> to doing it from multiple IP
> addresses??
> >
> > How do testers distribute a test amongst multiple people?
> >
> > Lastly, do you keep logs of tests performed just to cover yourself?
> (Ie: "Our server crashed on Saturday,
> it must have been something you did!!"")
> >
> > thanks ahead of time,
> > Joe
> >
> >
> >
>
> Alfred Huger
> Symantec Corp.
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
-- : fergus cameron : [ .] cobbled : : ^^^^^^@cobbled.net : [ ~][ ] .net : --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: H Carvey: "Re: How much do you disclose to customers?"
- In reply to: Alfred Huger: "How much do you disclose to customers?"
- Next in thread: Brewis, Mark: "RE: How much do you disclose to customers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
