RE: What is your policy on customers particapating in a pen test?

From: Ken Pfeil (Kenat_private)
Date: Wed Jun 20 2001 - 13:00:34 PDT

Next message: Dom De Vitto: "RE: What is your policy on customers participating in a pen test?"

Previous message: Jonathan Rickman: "Re: What is your policy on customers particapating in a pen test?"
In reply to: Meritt James: "Re: What is your policy on customers particapating in a pen test?"
Next in thread: GBH: "Re: What is your policy on customers particapating in a pen test?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been on both sides of the fence a time or two. If you have certain
levels of compromise set up, laid out and signed off beforehand, all the
better. Very few clients will let you fully compromise a production system,
but if you can prove it possible from past experience you're in much better
shape to prove your findings without a lot of "fallout". Most clients want
to be involved simply because:

a) It proves to them they are getting what they are paying for (and not some
vuln scanner report)
b) It helps them plan better for contingencies regarding an actual
compromise
c) They want your input "on the fly" regarding "what if" scenarios (What if
we had a firewall or IDS, air-gap, SSL, etc. here here and here?)
d) They want training on pen-test procedures or need to explain exactly what
was done to risk management/auditing/compliance
e) They want to see that you're not doing anything "hokey" with the systems
(backdoors, etc)
f) They're just plain curious

James is on-the-mark about having the client say-so in terminating the test
at any point. May save you some legal fees :-)

I certainly wouldn't let them "drive", but an offering of findings and ample
time for their validation upon conclusion of your testing oughta go a long
way....

Best regards,
Ken

> -----Original Message-----
> From: Meritt James [mailto:meritt_jamesat_private]
> Sent: Tuesday, June 19, 2001 5:25 PM
> To: Joe Klein
> Cc: pen-testat_private
> Subject: Re: What is your policy on customers particapating in a pen
> test?
>
>
> I have performed such with a representative present (but no touch).  The
> better for at-the-time "Do you want me to...?"  (I did ask, they said
> "NO!!!!!!!).  There is a chance of them terminating your test prior to
> when YOU would, so watch the contractual conditions.  Helps with the
> "Get out of jail free" if a rep is on hand...
>
> V/R
>
> Jim
>
> Joe Klein wrote:
> >
> > All:
> >
> > I am hearing customers request ( and some times demand ) that
> they be part of a
> > pen test.
> >
> > Currently, we offer the customer 4 - 8 hours of time to review
> findings and show
> > them what we did, to access there systems. But we do this after
> the pen test is
> > complete.
> >
> > I was wondering how other companies deal with this issue?
> >
> > J
>
> --
> James W. Meritt, CISSP, CISA
> Booz, Allen & Hamilton
> phone: (410) 684-6566

Next message: Dom De Vitto: "RE: What is your policy on customers participating in a pen test?"
Previous message: Jonathan Rickman: "Re: What is your policy on customers particapating in a pen test?"
In reply to: Meritt James: "Re: What is your policy on customers particapating in a pen test?"
Next in thread: GBH: "Re: What is your policy on customers particapating in a pen test?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 12:39:14 PDT