RE: How much do you disclose to customers?

From: Brewis, Mark (
Date: 12/19/03

  • Next message: Harry Hoffman: "Re: How much do you disclose to customers?"
    Date: Fri, 19 Dec 2003 16:59:39 -0000

    On Tue, 16 Dec 2003, Joe P wrote:

    > I have a question on customer disclosure. Is it wise to tell the
    customer which IP addresses you'll be
    using before starting pen tests?

    Always. Even on 'blind' jobs, when the client is specifying a PenTest to test IDS and firewall teams effectiveness, someone in the client organisation - the people you agreed the scope with - need to know who you are and where you are coming from, in order to cap escalation procedures etc.

    > Cons for Telling:
    > I was thinking that if you did tell them you may get an over zealous,
    insecure admin that just sets up a
    filter to block you out to make him/herself look good.
    Possible, and have seen it done, but only once. It is a very limited solution, and stands out during testing. If you report that what you find, and the client wonders why you weren't able to see their web-site, it is a bit of a giveaway. Most admins are happy to help anyway.

    > Pros for Telling:

    > 1) if you don't tell them your IP address they may think your doing
    testing when in actuallity it's someone
    else (ie: a true cracker trying to break in).


    > 2) Audit trail reasons - if you trip up an IDS while doing testing they
    can ignore those alarms.

    Worth reminding the client to tell all parties that you are doing the test - their ISP, and managed services etc, so that you don't get blocked downstream.

    > Also, how do testers handle multiple IP addresses? Is there any benefit
    to doing it from multiple IP
    This is actually a very complex question. It depends very heavily on what type of test you are doing. But, in general, multiple IP gives you flexibility and are often essential.

    > How do testers distribute a test amongst multiple people?
    By skills. You need to know your team well, but with experience it tends to distribute itself, to a point.

    > Lastly, do you keep logs of tests performed just to cover yourself?
    (Ie: "Our server crashed on Saturday,
    it must have been something you did!!"")
    > thanks ahead of time,
    > Joe
    Script everything under Linux. Keep raw output from all your tools. Consider packet logging everything. Burn it all on to a CD when you are finished. It can help you with all sorts of issues: how much you covered, what you did, what test were running when x crashed, what the problem with x might be, if it is a new vulnerability etc.




  • Next message: Harry Hoffman: "Re: How much do you disclose to customers?"