RE: How much do you disclose to customers?

From: Whiteside, Larry [contractor] (BAE14_at_SPHQ.SSP.NAVY.MIL)
Date: 12/19/03

  • Next message: Maarten Van Horenbeeck: "Re: Wireless Pen-test"
    Date: Fri, 19 Dec 2003 14:09:57 -0500
    To: "wirepair" <>, <>

    I think you should first perform the scan and see if they have procedures in place to detect and react to your attempts. Once they noticed it and blocked it then you could inform them of the other pertinent details (i.e. time scanning to be performed, IPs used [if different from initial test], etc...).

    A lot of places forget that the procedures to react to an intrusion attempt are a key element to the entire process. Of course all of this should be spelled out in your contract and explained in detail up front to protect you and the client both.

    my 2 cents


    -----Original Message-----
    From: wirepair []
    Sent: Thursday, December 18, 2003 7:42 PM
    Subject: Re: How much do you disclose to customers?

    We always tell the client which IP's we are coming from. Mainly because we *don't* want to get
    our IP's blocked by an IPS or by an unwitting admin. If you do not trust the admins will allow
    the test to go smoothly, you should probably contact their managers to see that your information
    does not get distorted.

    Or you can simply ask them whether or not they'd like to be given that information. Occasionally,
    we are told by the managers to not tell the admins to see if they notice the attacks. Doing the tests
    from multiple machines has its advantages, especially when given a class C or larger to split up the time.

    In our company tests are usually split up with internal/external/pbx & modems ect. But occasionally
    we all work on a project together. Logs are definitly important, one thing I wish automated scanners
    did would log what plugin/exploit caused the fault/issue. If the issue was caused during a penetration
    test you should contact the company immediately and explain what exactly you were testing at the time
    and work with them in identifying what the exact nature of the problem was.
    Hope this helps,

    On Thu, 18 Dec 2003 13:13:43 -0700 (MST)
      Alfred Huger <> wrote:
    >I am posting this for a user who is having difficulty posting directly to
    >the list. Please reply to the list.
    >To: Joe P <>
    >Subject: Re: How much do you disclose to customers?
    >On Tue, 16 Dec 2003, Joe P wrote:
    >> Hi everyone,
    >> I have a question on customer disclosure. Is it wise to tell the
    >customer which IP addresses you'll be
    >using before starting pen tests?
    >> Cons for Telling:
    >> I was thinking that if you did tell them you may get an over zealous,
    >insecure admin that just sets up a
    >filter to block you out to make him/herself look good.
    >> Pros for Telling:
    >> 1) if you don't tell them your IP address they may think your doing
    >testing when in actuallity it's someone
    >else (ie: a true cracker trying to break in).
    >> 2) Audit trail reasons - if you trip up an IDS while doing testing they
    >can ignore those alarms.
    >> Also, how do testers handle multiple IP addresses? Is there any benefit
    >to doing it from multiple IP
    >> How do testers distribute a test amongst multiple people?
    >> Lastly, do you keep logs of tests performed just to cover yourself?
    >(Ie: "Our server crashed on Saturday,
    >it must have been something you did!!"")
    >> thanks ahead of time,
    >> Joe
    >Alfred Huger
    >Symantec Corp.

    Visit Things From Another World for the best
    comics, movies, toys, collectibles and more.

  • Next message: Maarten Van Horenbeeck: "Re: Wireless Pen-test"