Re: What is your policy on customers particapating in a pen test?

From: GBH (gbhat_private)
Date: Tue Jun 19 2001 - 14:51:00 PDT

  • Next message: Jonathan Rickman: "Re: What is your policy on customers particapating in a pen test?"

    Can I ask you why you WOULDN'T let a client see what you'r doing?
    
    If you are competent, happy and methodical with the work that you do there
    should be no reason at all not to allow a client to watch a live pen test.
    
    Are we not all here to help "them", whoever they may be, become more secure,
    more aware and more alert to security risks?(and of course point out their
    massive security holes!) There is always this culture that people worry
    about their clients not asking them back because they've learnt how to do it
    themselves. At least by allowing them to watch what your doing they'll get a
    feel for how things are done by nasty l337 h4x0r types. It is VERY unlikely
    that any client would learn enough to attempt their own and if they do,
    great! You;ve just educated someone else how to test if their networks are
    secure. Thats a big plus in my view.
    
    The way I see it is let them watch, show them what you do and if you can
    involve them in the work. Let them justify in their minds your not going to
    kill their network(unless thats what your there for) and let them know the
    massive ammounts of money they're paying you is worth it and that you'r not
    just running a nmap scan.
    
    I see user education - either pure knowledge or even enthusing someone
    enough to show an interest a massive plus in what I do. As I said earlier,
    the more aware I can make people the more secure their system is likely to
    be. After all there are always FAR more people who have no interest and no
    clue than there ever will be on the other side of the fence, I'll never be
    out of work (I hope!)
    
    Thanks
    
    Gary
    
    
    ----- Original Message -----
    From: "Joe Klein" <jskleinat_private>
    To: <pen-testat_private>
    Sent: Tuesday, June 19, 2001 6:59 AM
    Subject: What is your policy on customers particapating in a pen test?
    
    
    > All:
    >
    > I am hearing customers request ( and some times demand ) that they be part
    of a
    > pen test.
    >
    > Currently, we offer the customer 4 - 8 hours of time to review findings
    and show
    > them what we did, to access there systems. But we do this after the pen
    test is
    > complete.
    >
    > I was wondering how other companies deal with this issue?
    >
    > J
    >
    >
    >
    



    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:52:11 PDT