[153358] in North American Network Operators' Group
RE: Penetration Test Assistance
daemon@ATHENA.MIT.EDU (Baklarz, Ron)
Tue Jun 5 13:22:38 2012
From: "Baklarz, Ron" <BaklarR@amtrak.com>
To: "Green, Timothy" <Timothy.Green@ManTech.com>
Date: Tue, 5 Jun 2012 12:41:38 -0400
In-Reply-To: <DD17DCA4DBB14A44870126211203BE9D02657B61F7C5@CHNMICMBX02.ManTech.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Not discounting the need for network diagrams, there are also differing app=
roaches to pen testing. One alternative is a sort of black-box approach wh=
ere the pen testers are given little or no advanced knowledge of the networ=
k. It is up to them to 'discover' what they can through open source means a=
nd commence their attacks from what they glean from their intelligence gath=
ering. This way they are realistically mimicking the hacker methodology.=20
Ron Baklarz C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM=20
Chief Information Security Officer
Export Control Compliance Officer
National Passenger Railroad Corporation (AMTRAK)
10 G Street, NE Office 6E606=20
Washington, DC 20002 =20
BaklarR@Amtrak.com
-----Original Message-----
From: Green, Timothy [mailto:Timothy.Green@ManTech.com]=20
Sent: Tuesday, June 05, 2012 10:53 AM
To: nanog@nanog.org
Subject: Penetration Test Assistance
Howdy all,
I'm a Security Manager of a large network, we are conducting a Pentest next=
month and the testers are demanding a complete network diagram of the enti=
re network. We don't have a "complete" network diagram that shows everythi=
ng and everywhere we are. At most we have a bunch of network diagrams that=
show what we have in various areas throughout the country. I've been askin=
g the network engineers for over a month and they seem to be too lazy to pu=
t it together or they have no idea where everything is.
I've never been in this situation before. Should I be honest to the tester=
s and tell them here is what we have, we aren't sure if it's accurate; fin=
d everything else? How would they access those areas that we haven't ident=
ified? How can I give them access to stuff that I didn't know existed?
What do you all do with your large networks? One huge network diagram, a b=
unch of network diagrams separated by region, or both? Any pentest horror =
stories?
Thanks,
Tim
________________________________
This e-mail and any attachments are intended only for the use of the addres=
see(s) named herein and may contain proprietary information. If you are not=
the intended recipient of this e-mail or believe that you received this em=
ail in error, please take immediate action to notify the sender of the appa=
rent error by reply e-mail; permanently delete the e-mail and any attachmen=
ts from your computer; and do not disseminate, distribute, use, or copy thi=
s message and any attachments.
