Penetration Testing mailing list archives
RE: What is your policy on customers particapating in a pen test?
From: "Ken Pfeil" <Ken () infosec101 org>
Date: Wed, 20 Jun 2001 16:00:34 -0400
I've been on both sides of the fence a time or two. If you have certain levels of compromise set up, laid out and signed off beforehand, all the better. Very few clients will let you fully compromise a production system, but if you can prove it possible from past experience you're in much better shape to prove your findings without a lot of "fallout". Most clients want to be involved simply because: a) It proves to them they are getting what they are paying for (and not some vuln scanner report) b) It helps them plan better for contingencies regarding an actual compromise c) They want your input "on the fly" regarding "what if" scenarios (What if we had a firewall or IDS, air-gap, SSL, etc. here here and here?) d) They want training on pen-test procedures or need to explain exactly what was done to risk management/auditing/compliance e) They want to see that you're not doing anything "hokey" with the systems (backdoors, etc) f) They're just plain curious James is on-the-mark about having the client say-so in terminating the test at any point. May save you some legal fees :-) I certainly wouldn't let them "drive", but an offering of findings and ample time for their validation upon conclusion of your testing oughta go a long way.... Best regards, Ken
-----Original Message----- From: Meritt James [mailto:meritt_james () bah com] Sent: Tuesday, June 19, 2001 5:25 PM To: Joe Klein Cc: pen-test () securityfocus com Subject: Re: What is your policy on customers particapating in a pen test? I have performed such with a representative present (but no touch). The better for at-the-time "Do you want me to...?" (I did ask, they said "NO!!!!!!!). There is a chance of them terminating your test prior to when YOU would, so watch the contractual conditions. Helps with the "Get out of jail free" if a rep is on hand... V/R Jim Joe Klein wrote:All: I am hearing customers request ( and some times demand ) thatthey be part of apen test. Currently, we offer the customer 4 - 8 hours of time to reviewfindings and showthem what we did, to access there systems. But we do this afterthe pen test iscomplete. I was wondering how other companies deal with this issue? J-- James W. Meritt, CISSP, CISA Booz, Allen & Hamilton phone: (410) 684-6566
Current thread:
- Re: Blind IP spoofing portscan tool?, (continued)
- Re: Blind IP spoofing portscan tool? Jose Nazario (Jun 14)
- Re: Blind IP spoofing portscan tool? Enrique A. Sanchez Montellano (Jun 15)
- Re: Blind IP spoofing portscan tool? Jose Nazario (Jun 14)
- Re: Blind IP spoofing portscan tool? Enrique A. Sanchez Montellano (Jun 14)
- Re: Blind IP spoofing portscan tool? Chris Winter (Jun 14)
- RE: Blind IP spoofing portscan tool? Filipe Almeida (Jun 15)
- Re: Blind IP spoofing portscan tool? Alberto_Revelli (Jun 14)
- RE: Blind IP spoofing portscan tool? Yonatan Bokovza (Jun 14)
- RE: Blind IP spoofing portscan tool? thomas olofsson (Jun 18)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 19)
- RE: What is your policy on customers particapating in a pen test? Ken Pfeil (Jun 21)
- Re: What is your policy on customers particapating in a pen test? GBH (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 19)
- RE: What is your policy on customers participating in a pen test? Ken Halbeck (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 20)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 22)
- RE: What is your policy on customers particapating in a pen test? Bojan Zdrnja (Jun 25)
- What is your policy on customers particapating in a pen test? Joe Klein (Jun 19)
- RE: What is your policy on customers participating in a pen test? Dom De Vitto (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Gary Warner (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 21)