On 6/9/2014 3:50 PM, Evan Pettrey wrote:
Greetings folks,
My company is currently in the process of obtaining a pentester to test
security on our systems and one that a colleague of mine has recommended
has asked us for the below information:
- Public IPs
- Public DNS records
I see no reason not to provide those. It saves the testing team a few
minutes, and (unless you're VERY unusual) it's fairly easy to find out.
- Network map of full infrastructure
This one is different. Unless you're doing a two-pass assessment (and
you aren't, or you'd have said so), they should be able to gain this
information. The ONLY thing I'd do is to point out fragile machines
that shouldn't be hammered with NMAP and the like (certain expensive
printers might fall in this bucket).
To me this seems like sitting to take a test and having a cheatsheet. The
IPs and DNS records should be easy enough to figure out on their own and
the network map I don't believe should be provided.
Am I just being too skeptical here or does this seem like inappropriate
questions to ask as a security auditors?
It depends. I'd want to know things like:
How long it's expected to last?
How many people are on the team (if the answer is one, that's bad)?
How many years experience does the team have?
Is this a two pass (or more) assessment? [1]
Does it include social engineering?
Is there a formal presentation with results after it's over?
You also don't say what *type* of data you're protecting. If it's
financial or medical there are extra rules (I suspect that it's not,
though). I've read the other (four, so far) answers, BTW, and think
they're also making useful points.
No network map, in my opinion. If it were me, I'd just give them a
special look that said they'd made an error in judgment, and move
on.
[1] Often a repeat assessment is done after security items are taken
care of, to make sure that they *are* and to make sure that there
aren't new ones. Also, sometimes a first pass is done, blind, and then a
second one is done with basic information.
--
Neca eos omnes. Deus suos agnoscet.
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
