On Tue, Jun 10, 2014 at 7:37 AM, Edward Ned Harvey (lopser) <[email protected]> wrote: >> From: [email protected] [mailto:discuss- >> [email protected]] On Behalf Of Evan Pettrey >> >> To me this seems like sitting to take a test and having a cheatsheet. The IPs >> and DNS records should be easy enough to figure out on their own and the >> network map I don't believe should be provided. > > The argument, "the pentester should have to work for this information," just > means "I want to pay the pentester for more hours, while they perform > exhaustive scans of everything," as long as they're discovering publicly > discoverable information. > > I say, it's fine. Yes you should consider DNS, IP addresses, and even your > internal network map to all be public information. Anything which does not > require authorization in order to discover. Do not rely on obscurity even a > little bit. Anything that could be discovered by an unauthorized person with > time to spend searching, simply consider it exposed right from the start.
I would say it should also depend on your threat model. If you truly only care about total outsiders then providing external DNS and IPs is simply a matter of making your security consultant more efficient. To the extent that you care about the possibility of disgruntled ex-employees, you should consider providing more information. Perhaps even going beyond network maps to include OS versions, real names & login names of system administrators, employee directories, etc. I would argue that since you probably have internal controls on employee access in place, you don't completely trust employees even while they are working for you. Do you trust them more when they are let go? Bill Bogstad _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
