RE: What is your policy on customers participating in a pen test?

From: George Milliken (gmillikenat_private)
Date: Wed Jun 20 2001 - 14:57:42 PDT

  • Next message: Andrew van der Stock: "RE: pcanywhere passwd capture"

    We at farm9 have no problem with customers watching and/or performing pen
    tests at their site.  We also make available tcpdumps of the entire auditing
    session.  This is useful for later work, such as verifying that the IDS(s)
    saw the attacks, finding out what was missed by the IDS, etc.  Also, it
    provides a nice audit trail in the event that someone asks "what *else* were
    these guys doing while they were in our servers?".
    
    We do not generally let customers "help" because it slows us down.  Instead
    we offer a hacking class for sys admins.
    
    To tell you the truth, most customers (many of ours are US banks) don't ask
    to participate and don't ask for an audit trail.  It just hasn't come up...
    
    
    
    Regards,
    
    George Milliken, CEO
    farm9.com, Inc.
    --
    gmillikenat_private      24x7 Intrusion Prevention & Incident Response
    http://www.farm9.com     24x7 Log Consolidation & Managed IDS
    SOC : 510-835-3276 x253  cell: 510-913-8850     fax:  925-376-5907
        ==================================================
        SANS Network Security 2001 San Diego, CA  Oct 15-22
        ==================================================
    
    
    
    
    
    
    
    -----Original Message-----
    From: Spencer, Ed M. -ND [mailto:Ed.M.Spencer.-NDat_private]
    Sent: Tuesday, June 19, 2001 4:49 PM
    To: 'Joe Klein'; pen-testat_private
    Subject: RE: What is your policy on customers participating in a pen
    test?
    
    
    This is often the case when the customer has data that is highly
    confidential, much to loose through damage to reputation, concerns about how
    the data is collected, and maybe even issues regarding the ethics of the
    company/people doing the job.  Either that or they want to watch you do it
    so they can collect information so they can do it themselves next time, want
    to make sure your company does it (not subbed out) and they want to make
    sure it's more than just a couple products you picked up off the shelf and
    ran against them. (or maybe they're just paranoid, like me)
    
    One thing I've seen done is when pen testing is being done actively (someone
    is actively breaking the security - not a script/canned product) the
    customer watches over a remote control product (like VNC).  This allows them
    to view what's going on, insure accurate results, and gives them piece of
    mind for their network.  You can easily set up VNC to only allow them to
    watch (no keyboard/mouse to them) and it's not platform specific.
    
    Other things are to watch the wording in the contract and the intent.  Are
    you providing ongoing pen testing/review (like the TruSecure process -
    http://www.trusecure.com) or are you doing a one time audit/review (think
    ISACA - http://www.isaca.org).  Is educating the customer part of the
    contract requirements? (some education is usually expected.)  Do they want
    this done again?  Will they try to do it themselves next time?
    
    In the end I just recommend being cautious, discussing the requirements and
    expectations up front.  </sarcasm-on>I don't recommend turning over your
    tools to them, showing them step by step how to use them, and letting them
    ghost your laptop. (We are in business to make money).</sarcasm-off>
    
    I guess it's just a case of the customers wanting from us what we've
    requested from software companies all along - full disclosure.
    
    Ed Spencer
    MCSE/MCT/CNA/A+/Network+
    Security Analyst - IS Security
    Renaissance Worldwide, Inc. - Walt Disney World
    
    This communication is confidential, intended only for the named recipient(s)
    above and may contain trade secrets or other information that is exempt from
    disclosure under applicable law.  Any use, dissemination, distribution or
    copying of this communication by anyone other than the named recipient(s) is
    strictly prohibited.  If you have received this communication in error,
    please immediately notify us by calling (407) 566-5195.  The ideas,
    opinions, and information expressed within the above email are the express
    sole opinion of the author and are not the opinion of the Walt Disney World
    Corporation.  Thank you.
    
    
    
    -----Original Message-----
    From: Joe Klein [mailto:jskleinat_private]
    Sent: Tuesday, June 19, 2001 2:00 AM
    To: pen-testat_private
    Subject: What is your policy on customers particapating in a pen test?
    
    
    All:
    
    I am hearing customers request ( and some times demand ) that they be part
    of a
    pen test.
    
    Currently, we offer the customer 4 - 8 hours of time to review findings and
    show
    them what we did, to access there systems. But we do this after the pen test
    is
    complete.
    
    I was wondering how other companies deal with this issue?
    
    J
    



    This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 12:49:15 PDT