Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PT Report delivery (caveats)

From: Gareth Davies <gareth.davies () mynetsec com>
Date: Fri, 03 Mar 2006 19:17:12 +0800
johnny Mnemonic wrote:

Hi
I'm interested in the group's feedback on the most accepted way to deliver a final PT report to a client. Best practices indicate that reports are only sent to a select group of people in each of the Red/White/blue teams, and docs are sent via encrypted email and/or the document itself encrypted with public/private keys exchanged at the start of the engagement. I've even heard that sending electronic copies of the report is a no-no and only a hardcopy should be couried. Could someone weight in on caveats and/or industry standards for report delivery?
Also how would report delivery best practices from an internal pesting team differ (if at all) from that of a third party consulting outfit. 

Many thanks.
I send the full reports to only one person, whoever is the designated contact point for that project, it's their responsibility to distribute it within the company to whoever needs it.
Saying that I usually also send a ~3 page management summary type report to the people who engaged us for the project as a summary, but I do this in the same manner through the same contact, as those management are unlikely to have encryption/decryption capabilities. So that person will print it generally and pass it to the relevant people.
It's sent in soft-copy, PDF format, PGP encrypted with my private key, my public key is of course provided to them. 

Cheers

--
Gareth Davies - BS7799 LA, OPST

Manager - Security Practice

Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont’ Kiara, 50480
Kuala Lumpur, Malaysia Phone: +603-6203 5303 or +603-6203 5920 

www.mynetsec.com


------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." 

http://www.lancope.com/resource/
------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: