RE: How much do you disclose to customers?

From: Brewis, Mark (mark.brewis_at_eds.com)
Date: 12/19/03

  • Next message: Harry Hoffman: "Re: How much do you disclose to customers?"
    To: pen-test@securityfocus.com
    Date: Fri, 19 Dec 2003 16:59:39 -0000
    
    

    On Tue, 16 Dec 2003, Joe P wrote:

    > I have a question on customer disclosure. Is it wise to tell the
    customer which IP addresses you'll be
    using before starting pen tests?
    >

    Always. Even on 'blind' jobs, when the client is specifying a PenTest to test IDS and firewall teams effectiveness, someone in the client organisation - the people you agreed the scope with - need to know who you are and where you are coming from, in order to cap escalation procedures etc.

    > Cons for Telling:
    > I was thinking that if you did tell them you may get an over zealous,
    insecure admin that just sets up a
    filter to block you out to make him/herself look good.
    >
    Possible, and have seen it done, but only once. It is a very limited solution, and stands out during testing. If you report that what you find, and the client wonders why you weren't able to see their web-site, it is a bit of a giveaway. Most admins are happy to help anyway.

    > Pros for Telling:

    > 1) if you don't tell them your IP address they may think your doing
    testing when in actuallity it's someone
    else (ie: a true cracker trying to break in).

    Yes

    > 2) Audit trail reasons - if you trip up an IDS while doing testing they
    can ignore those alarms.
    >

    Worth reminding the client to tell all parties that you are doing the test - their ISP, and managed services etc, so that you don't get blocked downstream.

    > Also, how do testers handle multiple IP addresses? Is there any benefit
    to doing it from multiple IP
    addresses??
    >
    This is actually a very complex question. It depends very heavily on what type of test you are doing. But, in general, multiple IP gives you flexibility and are often essential.

    > How do testers distribute a test amongst multiple people?
    >
    By skills. You need to know your team well, but with experience it tends to distribute itself, to a point.

    > Lastly, do you keep logs of tests performed just to cover yourself?
    (Ie: "Our server crashed on Saturday,
    it must have been something you did!!"")
    >
    > thanks ahead of time,
    > Joe
    >
    Script everything under Linux. Keep raw output from all your tools. Consider packet logging everything. Burn it all on to a CD when you are finished. It can help you with all sorts of issues: how much you covered, what you did, what test were running when x crashed, what the problem with x might be, if it is a new vulnerability etc.

    HTH,

    Mark

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Harry Hoffman: "Re: How much do you disclose to customers?"

    Relevant Pages

    • How much do you disclose to customers?
      ... On Tue, 16 Dec 2003, Joe P wrote: ... > I have a question on customer disclosure. ... how do testers handle multiple IP addresses? ...
      (Pen-Test)
    • Re: How much do you disclose to customers?
      ... ('binary' encoding is not supported, ... >customer which IP addresses you'll be ... >using before starting pen tests? ... >to doing it from multiple IP ...
      (Pen-Test)
    • Re: Considering using Access
      ... Joe Fallon ... sounds like database you're proposing will be "mission-critical". ... > seems to be alot of work, but alot of work in not my problem... ... I am thinking each customer will be assigned a number, ...
      (microsoft.public.access.tablesdbdesign)
    • Re: repeated incoming emails
      ... come in there isnt any number that is associated but i did find out that the ... friend an email and then joe sent an email. ... Does he get multiple copies of a message in a single ...
      (microsoft.public.outlook.general)
    • Re: Brain stuck on forming a hash
      ... >customer I need to read in a config file, ... hostname: billhost ... user: bob ... user: joe ...
      (perl.beginners)