RE: [lists] PT Report delivery (caveats)

["Curt Purdy" <purdy () tecman com>]

Hey Johny,

In my past life as an infosec consultant, I always delivered several
hardcopies on the closeout meeting along with a cd of electronic version.
The hardcopies were given to IT director/CIO for appropriate distribution to
closeout meeting members.

Occasionally there was a "For Your Eyes Only" cd, i.e. when I found
Lophtcrack on the CIOs PC placed there by the sysadmin using the company's
DS3 to crack Internet boxes.

Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA 
Information Security Officer 
If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked. 
-- former White House cybersecurity czar Richard Clarke 

 

> -----Original Message-----
> From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com] 
> Sent: Thursday, March 02, 2006 7:06 AM
> To: pen-test () securityfocus com
> Subject: [lists] PT Report delivery (caveats)
>
> Hi
>
> I'm interested in the group's feedback on the most accepted 
> way to deliver a final PT report to a client. Best practices 
> indicate that reports are only sent to a select group of 
> people in each of the Red/White/blue teams, and docs are sent 
> via encrypted email and/or the document itself encrypted with 
> public/private keys exchanged at the start of the engagement. 
> I've even heard that sending electronic copies of the report 
> is a no-no and only a hardcopy should be couried. Could 
> someone weight in on caveats and/or industry standards for 
> report delivery?
>
> Also how would report delivery best practices from an 
> internal pesting team differ (if at all) from that of a third 
> party consulting outfit.
>
> Many thanks.
>
> _________________________________________________________________
> Find just what you are after with the more precise, more 
> powerful new MSN Search. http://search.msn.com.sg/ Try it now.
>
>
> --------------------------------------------------------------
> ----------------
> This List Sponsored by: Lancope
>
> "Discover the Security Benefits of Cisco NetFlow"
> Learn how Cisco NetFlow enables cost-effective security 
> across distributed 
> enterprise networks. StealthWatch, the veteran Network 
> Behavior Analysis (NBA) 
> and Response solution, leverages Cisco NetFlow to provide scalable, 
> internal network security. 
> Download FREE Whitepaper "Role of Network Behavior Analysis 
> (NBA) and Response 
> Systems in the Enterprise."
>
> http://www.lancope.com/resource/
> --------------------------------------------------------------
> ----------------


------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed 
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) 
and Response solution, leverages Cisco NetFlow to provide scalable, 
internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response 
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------