RE: How much do you disclose to customers?

From: Brewis, Mark (mark.brewis_at_eds.com)
Date: 12/19/03

  • Next message: Harry Hoffman: "Re: How much do you disclose to customers?"
    To: pen-test@securityfocus.com
    Date: Fri, 19 Dec 2003 16:59:39 -0000
    
    

    On Tue, 16 Dec 2003, Joe P wrote:

    > I have a question on customer disclosure. Is it wise to tell the
    customer which IP addresses you'll be
    using before starting pen tests?
    >

    Always. Even on 'blind' jobs, when the client is specifying a PenTest to test IDS and firewall teams effectiveness, someone in the client organisation - the people you agreed the scope with - need to know who you are and where you are coming from, in order to cap escalation procedures etc.

    > Cons for Telling:
    > I was thinking that if you did tell them you may get an over zealous,
    insecure admin that just sets up a
    filter to block you out to make him/herself look good.
    >
    Possible, and have seen it done, but only once. It is a very limited solution, and stands out during testing. If you report that what you find, and the client wonders why you weren't able to see their web-site, it is a bit of a giveaway. Most admins are happy to help anyway.

    > Pros for Telling:

    > 1) if you don't tell them your IP address they may think your doing
    testing when in actuallity it's someone
    else (ie: a true cracker trying to break in).

    Yes

    > 2) Audit trail reasons - if you trip up an IDS while doing testing they
    can ignore those alarms.
    >

    Worth reminding the client to tell all parties that you are doing the test - their ISP, and managed services etc, so that you don't get blocked downstream.

    > Also, how do testers handle multiple IP addresses? Is there any benefit
    to doing it from multiple IP
    addresses??
    >
    This is actually a very complex question. It depends very heavily on what type of test you are doing. But, in general, multiple IP gives you flexibility and are often essential.

    > How do testers distribute a test amongst multiple people?
    >
    By skills. You need to know your team well, but with experience it tends to distribute itself, to a point.

    > Lastly, do you keep logs of tests performed just to cover yourself?
    (Ie: "Our server crashed on Saturday,
    it must have been something you did!!"")
    >
    > thanks ahead of time,
    > Joe
    >
    Script everything under Linux. Keep raw output from all your tools. Consider packet logging everything. Burn it all on to a CD when you are finished. It can help you with all sorts of issues: how much you covered, what you did, what test were running when x crashed, what the problem with x might be, if it is a new vulnerability etc.

    HTH,

    Mark

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Harry Hoffman: "Re: How much do you disclose to customers?"