Re: How much do you disclose to customers?

From: Clint Bodungen (clint_at_secureconsulting.com)
Date: 12/20/03

  • Next message: Frank Knobbe: "Re: How much do you disclose to customers?"
    To: <pen-test@securityfocus.com>
    Date: Fri, 19 Dec 2003 17:04:45 -0600
    
    

    > >> Lastly, do you keep logs of tests performed just to cover yourself?
    > >(Ie: "Our server crashed on Saturday,
    > >it must have been something you did!!"")
    >
    > Not just logs...detailed documentation. Believe me, it helps. I remember
    going on-site for a VA once, and while we were still in w/ the IT Manager,
    an admin came in and informed him that the "scanning the security guys were
    doing had crashed a couple of servers". We were all standing their with out
    laptops still in our bags. Our "CYA" was the manager in that case.
    >
    > However, the contract should also include a hold-harmless
    statement...something to the effect that the testers will take all
    reasonable precautions to ensure that something is not crashed, but things
    do happen. Also, give your client the opportunity to designate systems that
    will not be involved in the pen test, and may be subject to a thorough VA at
    a later date.
    >
    > Hope that helps,
    >
    > Harlan
    >

    I've done pen-tests where only the top brass new about it and where the
    whole IT dept. New about it. You have to be flexible to the client's needs.
    There are advantages of each under certain circumstances and I think this
    thread has already demonstrated most of the pros and cons of each.

    I'm submitting my reply because of the posters last concern... and this may
    even be a whole other discussion (I'll let the moderators decide). I've
    found that this "point the finger at the security guys" is the most common
    scenario. Harlan is right. Almost every single pen-test I've done
    something goes wrong somewhere in the organization's systems (even if we're
    NOT the ones breaking it) and everybody is very quick to blame the
    pen-testers or the "security guys" or the consultants, etc. Now that IT
    security has become almost a household term even to the clueless, our
    liability risks have increased. Let's face it... it's almost an
    occupational hazard.

    I've come across an issue once where we were just starting our test on the
    "low hanging fruit" at the web front-end when something on the internal LAN
    went down. We had detailed documentation and logs of our activities proving
    that we weren't testing anything even remotely related to the system that
    went down. Furthermore, due to the nature of the testing and what had
    happened to the other system, it was actually infeasable that we COULD have
    caused it. However, the SVP of IT wouldn't believe us nor our
    documentation. He put our tests on hold until he found the root cause of
    the problem. Ok understandable. Eventually, the IT guys were able to find
    the issue through their own logs and we were off the hook but not before
    this guy was starting to threaten lawsuit. I know this is probably a rare
    case but it still happens...and it only takes one person high enough at the
    top who is unreasonable and irrational... and one misplaced log or detail
    and it can end a career. Has anyone else dealt with a situation like this
    or maybe even gone to court over it? Is a contractual disclaimer always
    going to be enough? We've all seen how the suits and lawyers mangle IT
    Security and most technological issues in general. Chances are the judge
    and the jury aren't going to be very technical. So, if you do get taken to
    court can you rely on technical evidence if a contractual disclaimer didn't
    work?

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Frank Knobbe: "Re: How much do you disclose to customers?"

    Relevant Pages