nanog mailing list archives
Re: Penetration Test Assistance
From: Quinn Kuzmich <lostinmoscow () gmail com>
Date: Tue, 5 Jun 2012 10:34:59 -0600
It's not much of a penetration test, imho, if the "attackers" have detailed knowledge of your network and systems before the attack. You should determine what kind of a scenario you are trying to simulate, and how the results will be used to improve security. Is this a "black box" situation, where you want to see what potential attackers can discover about your systems without insider information? Or will this be a step by step, examine each part of the system and then step back to see what's going on from a high level scenario? If you're trying to both reduce vulnerabilities and your attack profile, I would go for the black box approach and see what your pentesters can come up with themselves. Man is a resourceful creature, and you never know what they could turn up. Q On Tue, Jun 5, 2012 at 8:52 AM, Green, Timothy <Timothy.Green () mantech com>wrote:
Howdy all, I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is. I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed? What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories? Thanks, Tim ________________________________ This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.
Current thread:
- Penetration Test Assistance Green, Timothy (Jun 05)
- Re: Penetration Test Assistance Andrew Latham (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Jason 'XenoPhage' Frisvold (Jun 05)
- Re: Penetration Test Assistance Brett Watson (Jun 05)
- Re: Penetration Test Assistance Bacon Zombie (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Andrew Latham (Jun 05)
- Re: Penetration Test Assistance Justin M. Streiner (Jun 05)
- Re: Penetration Test Assistance jim deleskie (Jun 05)
- Re: Penetration Test Assistance Joel jaeggli (Jun 05)
- Re: Penetration Test Assistance Quinn Kuzmich (Jun 05)
- RE: Penetration Test Assistance Baklarz, Ron (Jun 05)
- Re: Penetration Test Assistance dennis (Jun 05)
- Re: Penetration Test Assistance William Herrin (Jun 05)
- Re: Penetration Test Assistance Aled Morris (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Barry Greene (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Harry Hoffman (Jun 05)
- Re: Penetration Test Assistance Brett Watson (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Leo Bicknell (Jun 05)