RE: What is your policy on customers participating in a pen test?

["George Milliken" <gmilliken () farm9 com>]

We at farm9 have no problem with customers watching and/or performing pen
tests at their site.  We also make available tcpdumps of the entire auditing
session.  This is useful for later work, such as verifying that the IDS(s)
saw the attacks, finding out what was missed by the IDS, etc.  Also, it
provides a nice audit trail in the event that someone asks "what *else* were
these guys doing while they were in our servers?".

We do not generally let customers "help" because it slows us down.  Instead
we offer a hacking class for sys admins.

To tell you the truth, most customers (many of ours are US banks) don't ask
to participate and don't ask for an audit trail.  It just hasn't come up...



Regards,

George Milliken, CEO
farm9.com, Inc.
--
gmilliken () farm9 com      24x7 Intrusion Prevention & Incident Response
http://www.farm9.com     24x7 Log Consolidation & Managed IDS
SOC : 510-835-3276 x253  cell: 510-913-8850     fax:  925-376-5907
    ==================================================
    SANS Network Security 2001 San Diego, CA  Oct 15-22
    ==================================================







-----Original Message-----
From: Spencer, Ed M. -ND [mailto:Ed.M.Spencer.-ND () disney com]
Sent: Tuesday, June 19, 2001 4:49 PM
To: 'Joe Klein'; pen-test () securityfocus com
Subject: RE: What is your policy on customers participating in a pen
test?


This is often the case when the customer has data that is highly
confidential, much to loose through damage to reputation, concerns about how
the data is collected, and maybe even issues regarding the ethics of the
company/people doing the job.  Either that or they want to watch you do it
so they can collect information so they can do it themselves next time, want
to make sure your company does it (not subbed out) and they want to make
sure it's more than just a couple products you picked up off the shelf and
ran against them. (or maybe they're just paranoid, like me)

One thing I've seen done is when pen testing is being done actively (someone
is actively breaking the security - not a script/canned product) the
customer watches over a remote control product (like VNC).  This allows them
to view what's going on, insure accurate results, and gives them piece of
mind for their network.  You can easily set up VNC to only allow them to
watch (no keyboard/mouse to them) and it's not platform specific.

Other things are to watch the wording in the contract and the intent.  Are
you providing ongoing pen testing/review (like the TruSecure process -
http://www.trusecure.com) or are you doing a one time audit/review (think
ISACA - http://www.isaca.org).  Is educating the customer part of the
contract requirements? (some education is usually expected.)  Do they want
this done again?  Will they try to do it themselves next time?

In the end I just recommend being cautious, discussing the requirements and
expectations up front.  </sarcasm-on>I don't recommend turning over your
tools to them, showing them step by step how to use them, and letting them
ghost your laptop. (We are in business to make money).</sarcasm-off>

I guess it's just a case of the customers wanting from us what we've
requested from software companies all along - full disclosure.

Ed Spencer
MCSE/MCT/CNA/A+/Network+
Security Analyst - IS Security
Renaissance Worldwide, Inc. - Walt Disney World

This communication is confidential, intended only for the named recipient(s)
above and may contain trade secrets or other information that is exempt from
disclosure under applicable law.  Any use, dissemination, distribution or
copying of this communication by anyone other than the named recipient(s) is
strictly prohibited.  If you have received this communication in error,
please immediately notify us by calling (407) 566-5195.  The ideas,
opinions, and information expressed within the above email are the express
sole opinion of the author and are not the opinion of the Walt Disney World
Corporation.  Thank you.



-----Original Message-----
From: Joe Klein [mailto:jsklein () mindspring com]
Sent: Tuesday, June 19, 2001 2:00 AM
To: pen-test () securityfocus com
Subject: What is your policy on customers particapating in a pen test?


All:

I am hearing customers request ( and some times demand ) that they be part
of a
pen test.

Currently, we offer the customer 4 - 8 hours of time to review findings and
show
them what we did, to access there systems. But we do this after the pen test
is
complete.

I was wondering how other companies deal with this issue?

J