Re: What is your policy on customers particapating in a pen test?

From: GBH (gbhat_private)
Date: Tue Jun 19 2001 - 14:51:00 PDT

Next message: Jonathan Rickman: "Re: What is your policy on customers particapating in a pen test?"

Previous message: Jeremy Sanders: "Re: Identifying Machines"
In reply to: Joe Klein: "What is your policy on customers particapating in a pen test?"
Next in thread: Jonathan Rickman: "Re: What is your policy on customers particapating in a pen test?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Can I ask you why you WOULDN'T let a client see what you'r doing?

If you are competent, happy and methodical with the work that you do there
should be no reason at all not to allow a client to watch a live pen test.

Are we not all here to help "them", whoever they may be, become more secure,
more aware and more alert to security risks?(and of course point out their
massive security holes!) There is always this culture that people worry
about their clients not asking them back because they've learnt how to do it
themselves. At least by allowing them to watch what your doing they'll get a
feel for how things are done by nasty l337 h4x0r types. It is VERY unlikely
that any client would learn enough to attempt their own and if they do,
great! You;ve just educated someone else how to test if their networks are
secure. Thats a big plus in my view.

The way I see it is let them watch, show them what you do and if you can
involve them in the work. Let them justify in their minds your not going to
kill their network(unless thats what your there for) and let them know the
massive ammounts of money they're paying you is worth it and that you'r not
just running a nmap scan.

I see user education - either pure knowledge or even enthusing someone
enough to show an interest a massive plus in what I do. As I said earlier,
the more aware I can make people the more secure their system is likely to
be. After all there are always FAR more people who have no interest and no
clue than there ever will be on the other side of the fence, I'll never be
out of work (I hope!)

Thanks

Gary


----- Original Message -----
From: "Joe Klein" <jskleinat_private>
To: <pen-testat_private>
Sent: Tuesday, June 19, 2001 6:59 AM
Subject: What is your policy on customers particapating in a pen test?


> All:
>
> I am hearing customers request ( and some times demand ) that they be part
of a
> pen test.
>
> Currently, we offer the customer 4 - 8 hours of time to review findings
and show
> them what we did, to access there systems. But we do this after the pen
test is
> complete.
>
> I was wondering how other companies deal with this issue?
>
> J
>
>
>

Next message: Jonathan Rickman: "Re: What is your policy on customers particapating in a pen test?"
Previous message: Jeremy Sanders: "Re: Identifying Machines"
In reply to: Joe Klein: "What is your policy on customers particapating in a pen test?"
Next in thread: Jonathan Rickman: "Re: What is your policy on customers particapating in a pen test?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:52:11 PDT