RE: How much do you disclose to customers?

From: Michal Zalewski (lcamtuf_at_coredump.cx)
Date: 12/19/03

  • Next message: Clint Bodungen: "Re: How much do you disclose to customers?" 
    Date: Fri, 19 Dec 2003 19:35:01 +0100 (CET)
To: "Kinnane, Scott" <Scott.Kinnane@ISATechnologies.com>

    On Fri, 19 Dec 2003, Kinnane, Scott wrote:

    > I'd explain to the customer that in a real security attack, you don't
    > know the source of the attack when it starts, so you need to simulate as
    > real a situation as possible. The logs would come in handy as you could
    > offer that as proof of what was coming from you.

    It only makes sense if you already know an attack vector, and want to test
    response procedures and incident awareness.

    In all other cases (meaning, a typical pen-test), it is wise to tell the
    customer, simply because you do NOT want them to initiate a response,
    immediately bring systems down if there is a suspicion one of the attacks
    might have succeeded, etc (let alone contacting your ISP). But more
    importantly, you want them to be prepared for eventual consequences, for
    example a downtime resulting of an intentional (or accidental) DoS-type
    test.

    I do not think, however, that it is wise to mix both response analysis and
    vulnerability assessment, or that it is feasible to do so without
    compromising the completeness of the pen-test itself.

    My $.02, I suppose there would be just as many views as posters in the
    thread. 

    -- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-12-19 19:30 --
   http://lcamtuf.coredump.cx/photo/current/
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Clint Bodungen: "Re: How much do you disclose to customers?"
    • Quantcast