Penetration Testing mailing list archives
RE: PT Report delivery (caveats)
From: "Anders Thulin" <Anders.Thulin () tietoenator com>
Date: Fri, 3 Mar 2006 08:43:54 +0100
From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com]
I'm interested in the group's feedback on the most accepted way to deliver a final PT report to a client.
'Most accepted' ... why should that be important? You ask your client about method of delivery ... and you comply. You may feel compelled to warn about problems, but you don't make the decision. (Unless you really do, of course.)
Best practices indicate that reports are only sent to a select group of people in each of the Red/White/blue teams, and docs are sent via encrypted email and/or the document itself encrypted with public/private keys exchanged at the start of the engagement.
Provided, of course, that there already is sufficient knowledge about handling encrypted materials and protecting keys among the recipients, and e-mail is considered a safe and reliable means of delivery. E-mail is tricky ... you never know if the recipient has set up some kind of automatic forwarding somewhere. You don't want to discover that someone has ... and also happened to miswrite the address so that the material is delivered to someone who should not know. (There was a recent article in eWeek.com -- 'Who's reading your text messages' -- about SMS messages in certain cases being delivered to an internal testing account 'null' ... which was then given to an ordinary subscriber who received all kinds of 'dead text messages'. You don't want any kind of delivery problem.) If the recipient is not already familiar with security practices, using encryption or any other method that requires a certain amount of training and experience to maintain is not a good idea. Hard-copy is more intuitive that way ... no worry if someone may get a hard-copy off some back-up tape three months later.)
I've even heard that sending electronic copies of the report is a no-no and only a hardcopy should be couried. Could someone weight in on caveats and/or industry standards for report delivery?
The owner of the information decides. Always. That is typically the client, but it could be someone else in the same organization. It's usually decided on when the project begins, and stated in the project definition. If nothing else, company policy decides. If there is no policy, agree on how you will deliver the report, confirm it in writing, and let the client/the owner do the dissemination.
Also how would report delivery best practices from an internal pesting team differ (if at all) from that of a third party consulting outfit.
If they do comparable work, that is, the reports are classified the same, handling should be the same. If the material is reasonably highly classified, the information owner will be the only one who decides on who need to know. Anders Thulin anders.thulin () tietoenator com 040-661 50 63 TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö ------------------------------------------------------------------------------ This List Sponsored by: Lancope "Discover the Security Benefits of Cisco NetFlow" Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." http://www.lancope.com/resource/ ------------------------------------------------------------------------------
Current thread:
- PT Report delivery (caveats) johnny Mnemonic (Mar 02)
- RE: [lists] PT Report delivery (caveats) Curt Purdy (Mar 03)
- Re: PT Report delivery (caveats) Gareth Davies (Mar 03)
- Re: PT Report delivery (caveats) Tim (Mar 04)
- Re: PT Report delivery (caveats) intel96 (Mar 06)
- Re: PT Report delivery (caveats) Stefano Zanero (Mar 09)
- <Possible follow-ups>
- RE: PT Report delivery (caveats) Anders Thulin (Mar 03)