We at farm9 have no problem with customers watching and/or performing pen tests at their site. We also make available tcpdumps of the entire auditing session. This is useful for later work, such as verifying that the IDS(s) saw the attacks, finding out what was missed by the IDS, etc. Also, it provides a nice audit trail in the event that someone asks "what *else* were these guys doing while they were in our servers?". We do not generally let customers "help" because it slows us down. Instead we offer a hacking class for sys admins. To tell you the truth, most customers (many of ours are US banks) don't ask to participate and don't ask for an audit trail. It just hasn't come up... Regards, George Milliken, CEO farm9.com, Inc. -- gmillikenat_private 24x7 Intrusion Prevention & Incident Response http://www.farm9.com 24x7 Log Consolidation & Managed IDS SOC : 510-835-3276 x253 cell: 510-913-8850 fax: 925-376-5907 ================================================== SANS Network Security 2001 San Diego, CA Oct 15-22 ================================================== -----Original Message----- From: Spencer, Ed M. -ND [mailto:Ed.M.Spencer.-NDat_private] Sent: Tuesday, June 19, 2001 4:49 PM To: 'Joe Klein'; pen-testat_private Subject: RE: What is your policy on customers participating in a pen test? This is often the case when the customer has data that is highly confidential, much to loose through damage to reputation, concerns about how the data is collected, and maybe even issues regarding the ethics of the company/people doing the job. Either that or they want to watch you do it so they can collect information so they can do it themselves next time, want to make sure your company does it (not subbed out) and they want to make sure it's more than just a couple products you picked up off the shelf and ran against them. (or maybe they're just paranoid, like me) One thing I've seen done is when pen testing is being done actively (someone is actively breaking the security - not a script/canned product) the customer watches over a remote control product (like VNC). This allows them to view what's going on, insure accurate results, and gives them piece of mind for their network. You can easily set up VNC to only allow them to watch (no keyboard/mouse to them) and it's not platform specific. Other things are to watch the wording in the contract and the intent. Are you providing ongoing pen testing/review (like the TruSecure process - http://www.trusecure.com) or are you doing a one time audit/review (think ISACA - http://www.isaca.org). Is educating the customer part of the contract requirements? (some education is usually expected.) Do they want this done again? Will they try to do it themselves next time? In the end I just recommend being cautious, discussing the requirements and expectations up front. </sarcasm-on>I don't recommend turning over your tools to them, showing them step by step how to use them, and letting them ghost your laptop. (We are in business to make money).</sarcasm-off> I guess it's just a case of the customers wanting from us what we've requested from software companies all along - full disclosure. Ed Spencer MCSE/MCT/CNA/A+/Network+ Security Analyst - IS Security Renaissance Worldwide, Inc. - Walt Disney World This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please immediately notify us by calling (407) 566-5195. The ideas, opinions, and information expressed within the above email are the express sole opinion of the author and are not the opinion of the Walt Disney World Corporation. Thank you. -----Original Message----- From: Joe Klein [mailto:jskleinat_private] Sent: Tuesday, June 19, 2001 2:00 AM To: pen-testat_private Subject: What is your policy on customers particapating in a pen test? All: I am hearing customers request ( and some times demand ) that they be part of a pen test. Currently, we offer the customer 4 - 8 hours of time to review findings and show them what we did, to access there systems. But we do this after the pen test is complete. I was wondering how other companies deal with this issue? J
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 12:49:15 PDT