[153360] in North American Network Operators' Group
Re: Penetration Test Assistance
daemon@ATHENA.MIT.EDU (Quinn Kuzmich)
Tue Jun 5 13:24:23 2012
In-Reply-To: <DD17DCA4DBB14A44870126211203BE9D02657B61F7C5@CHNMICMBX02.ManTech.com>
Date: Tue, 5 Jun 2012 10:34:59 -0600
From: Quinn Kuzmich <lostinmoscow@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It's not much of a penetration test, imho, if the "attackers" have detailed
knowledge of your network and systems before the attack. You should
determine what kind of a scenario you are trying to simulate, and how the
results will be used to improve security. Is this a "black box" situation,
where you want to see what potential attackers can discover about your
systems without insider information? Or will this be a step by step,
examine each part of the system and then step back to see what's going on
from a high level scenario?
If you're trying to both reduce vulnerabilities and your attack profile, I
would go for the black box approach and see what your pentesters can come
up with themselves. Man is a resourceful creature, and you never know what
they could turn up.
Q
On Tue, Jun 5, 2012 at 8:52 AM, Green, Timothy <Timothy.Green@mantech.com>wrote:
> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest
> next month and the testers are demanding a complete network diagram of the
> entire network. We don't have a "complete" network diagram that shows
> everything and everywhere we are. At most we have a bunch of network
> diagrams that show what we have in various areas throughout the country.
> I've been asking the network engineers for over a month and they seem to be
> too lazy to put it together or they have no idea where everything is.
>
> I've never been in this situation before. Should I be honest to the
> testers and tell them here is what we have, we aren't sure if it's
> accurate; find everything else? How would they access those areas that we
> haven't identified? How can I give them access to stuff that I didn't
> know existed?
>
> What do you all do with your large networks? One huge network diagram, a
> bunch of network diagrams separated by region, or both? Any pentest horror
> stories?
>
> Thanks,
>
> Tim
>
> ________________________________
> This e-mail and any attachments are intended only for the use of the
> addressee(s) named herein and may contain proprietary information. If you
> are not the intended recipient of this e-mail or believe that you received
> this email in error, please take immediate action to notify the sender of
> the apparent error by reply e-mail; permanently delete the e-mail and any
> attachments from your computer; and do not disseminate, distribute, use, or
> copy this message and any attachments.
>
