RE: What is your policy on customers particapating in a pen test?

From: Steve Hutchins (Steve.Hutchinsat_private)
Date: Sun Jun 24 2001 - 16:50:45 PDT

  • Next message: GBH: "Re: What is your policy on customers particapating in a pen test?"

    >> If the customer watches you get onto a box, what's the
    >> betting that they will stay all night patching all the
    >> other similar boxes so you can't exploit them.
    
    >Uhhh... So? This is not a competition. The idea is for the entity
    >being attacked to improve their security. And the sooner they patch
    >the holes the better.
    
    If they do this during the test, it dilutes the impact of
    the test and can also block the finding of other holes they 
    might have. It also spoils the fun of the pen testers!
    
    an analogy: the IRS auditing your books while you correct
    the books at the same time (mind you, that would be neat)!
    
    
    -----Original Message-----
    From: Crist Clark [mailto:crist.clarkat_private]
    Sent: Saturday, 23 June 2001 10:05 a.m.
    To: Steve Hutchins
    Cc: pen-testat_private
    Subject: Re: What is your policy on customers particapating in a pen
    test?
    
    
    Steve Hutchins wrote:
    
    [snip]
    
    > If the customer watches you get onto a box, what's the
    > betting that they will stay all night patching all the
    > other similar boxes so you can't exploit them.
    
    Uhhh... So? This is not a competition. The idea is for the entity
    being attacked to improve their security. And the sooner they patch
    the holes the better.
    -- 
    Crist J. Clark                                Network Security Engineer
    crist.clarkat_private                    Globalstar, L.P.
    (408) 933-4387                                FAX: (408) 933-4926
    
    The information contained in this e-mail message is confidential,
    intended only for the use of the individual or entity named above.  If
    the reader of this e-mail is not the intended recipient, or the employee
    or agent responsible to deliver it to the intended recipient, you are
    hereby notified that any review, dissemination, distribution or copying
    of this communication is strictly prohibited.  If you have received this
    e-mail in error, please contact postmasterat_private
    



    This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 19:44:06 PDT