On Tue, 10 Jun 2014, Edward Ned Harvey (lopser) wrote:
[email protected]] On Behalf Of Evan Pettrey
To me this seems like sitting to take a test and having a cheatsheet. The IPs
and DNS records should be easy enough to figure out on their own and the
network map I don't believe should be provided.
The argument, "the pentester should have to work for this information," just
means "I want to pay the pentester for more hours, while they perform
exhaustive scans of everything," as long as they're discovering publicly
discoverable information.
I say, it's fine. Yes you should consider DNS, IP addresses, and even your
internal network map to all be public information. Anything which does not
require authorization in order to discover. Do not rely on obscurity even a
little bit. Anything that could be discovered by an unauthorized person with
time to spend searching, simply consider it exposed right from the start.
In an ideal situation, the bad guys could have all this information, and all
your passwords (but not strong authentication secrets, ssl certs) and they would
still not be able to get into your system
Crystal Box Security is the term that used to be used for this. Nobody is going
to be perfect, but if you strive for this, you don't need to worry about
disgruntled former employees passing on what they know.
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
