I've had different experiences than Yves. I've never had that info used against me in that way exactly (but more on this below). Here's my two cents.
It isn't uncommon for pen testers to ask for this info. If you really want to maximize the experience of having someone tell you what your weaknesses are, there's no good reason not to give them this. However, pen testers can do a blind test, where you don't give them any info. This is also testing you but is more of an evaluation of the tester as well. That evaluation can indeed be valuable in interpreting the results, but not necessarily. Yves' point about having info used against you is valid, though. If this is something you are commissioning to help you be better, I recommend sharing the info. However, if this is commissioned by someone else and will be an error-prone and misconstrued assessment/audit used as a hammer, consider asking for a blind test to level the playing field. Matt > On Jun 9, 2014, at 18:58, Yves Dorfsman <[email protected]> wrote: > >> On 2014-06-09 16:50, Evan Pettrey wrote: >> My company is currently in the process of obtaining a pentester to test >> security on our systems and one that a colleague of mine has recommended has >> asked us for the below information: >> >> * Public IPs >> * Public DNS records >> * Network map of full infrastructure >> >> >> To me this seems like sitting to take a test and having a cheatsheet. The IPs >> and DNS records should be easy enough to figure out on their own and the >> network map I don't believe should be provided. >> >> >> Am I just being too skeptical here or does this seem like inappropriate >> questions to ask as a security auditors? > > > No, you're not. This is a classic, they ask you for as much details as > possible that might not look too suspicious, then highlight the fact you gave > so much details to a stranger as a security issue (which it would be). > > > -- > Yves. > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
