Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PT Report delivery (caveats)

From: "Anders Thulin" <Anders.Thulin () tietoenator com>
Date: Fri, 3 Mar 2006 08:43:54 +0100
From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com] 


I'm interested in the group's feedback on the most accepted 
way to deliver a final PT report to a client. 


  'Most accepted' ... why should that be important?  You ask your
client about method of delivery ... and you comply.  You may feel
compelled to warn about problems, but you don't make the decision.
(Unless you really do, of course.) 


Best practices indicate that reports are only sent to a select group
of people in each of the Red/White/blue teams, and docs are sent
via encrypted email and/or the document itself encrypted with
public/private keys exchanged at the start of the engagement.


  Provided, of course, that there already is sufficient knowledge
about handling encrypted materials and protecting keys among
the recipients, and e-mail is considered a safe and reliable means
of delivery. 

  E-mail is tricky ... you never know if the recipient has set up
some kind of automatic forwarding somewhere. You don't want
to discover that someone has ... and also happened to miswrite
the address so that the material is delivered to someone who should
not know. (There was a recent article in eWeek.com --
'Who's reading your text messages' -- about SMS messages in certain
cases being delivered to an internal testing account 'null' ... which was
then given to an ordinary subscriber who received all kinds of
'dead text messages'. You don't want any kind of delivery problem.)

  If the recipient is not already familiar with security practices, using
encryption or any other method that requires a certain amount of
training and experience to maintain is not a good idea. Hard-copy 
is more intuitive that way ... no worry if someone may get a hard-copy
off some back-up tape three months later.)


 I've even heard that sending electronic copies of the report 
is a no-no and only a hardcopy should be couried. Could 
someone weight in on caveats and/or industry standards for 
report delivery?


  The owner of the information decides. Always.  That is typically
the client, but it could be someone else in the same organization.
It's usually decided on when the project begins, and stated in
the project definition. If nothing else, company policy decides.

  If there is no policy, agree on how you will deliver the report,
confirm it in writing, and let the client/the owner do the dissemination.


Also how would report delivery best practices from an 
internal pesting team differ (if at all) from that of a third 
party consulting outfit.


  If they do comparable work, that is, the reports are classified the same,
handling should be the same. If the material is reasonably highly classified,
the information owner will be the only one who decides on who need to know.

Anders Thulin   anders.thulin () tietoenator com   040-661 50 63          
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: