[153376] in North American Network Operators' Group
Re: Penetration Test Assistance
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Tue Jun 5 14:40:09 2012
Date: Tue, 5 Jun 2012 11:39:22 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: "nanog@nanog.org" <nanog@nanog.org>
Mail-Followup-To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <DD17DCA4DBB14A44870126211203BE9D02657B61F7C5@CHNMICMBX02.ManTech.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
The bit of information that's missing here is what are you trying
to pentest, and by extension how much do you want to pay your pentest
firm?
For some folks a pentest means starting with zero information and
trying to get IP packets passed a firewall or IDS's undetected.
Basically pentesting layer 3 infrastructure.
For other folks a pentest is purely an application level exercise,
you give the pentester an account on your customer portal for
instance, a full network diagram, and let them try things like SQL
injection or cross site scripting at the applications layer.
Your pentest firm can start with zero information and work all the
way up to an application level attack, but that's costly and time
consuming. Providing them some information is a way to short circuit
the process.
If you (or appropriate company representative) haven't already
discussed the pros and cons with your pentest firm you're off on the
wrong foot.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--XsQoSWH+UP9D9v3l
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT85SWbN3O8aJIdTMAQK/pQ//SL0azoTudTZvAqM5Q17KwdU2Ad2JfoAx
OBPsfgrHrX47Tupb6uGH4vHEgS7Y1MBA77zndJQXOghN4HK2wojAYL27KNt/4yVy
CekvFwTh4bQ2TkPTrBhVvKY7wQ9eXPMfuDqM6r81lxfRjEGNv6Cfshh6dNN7LYVS
bw0jp42E6sYp9+pVPAfw6rUKHLjb3sBFS7b995sWLZ+synVrnwr94O+gjE+SXrjy
gQ23R8eiWHm31/Y4R/9UAt5DUY88wBxCun5gj7CC8YjTE8Ey7nqmlrelkBlpKNn/
zptL6m4uFp13bM0NpoGIx8GAdBAiH/yvgMAqAhsiPAIl95ttkWqyUgQBVlMlLbA8
WQWULtyA9VVmpnV+NCkQup9lZOW3qOACH+GHFsucM+nfY7hOLL2vjg7fWcC84m1c
hO5W+Z8zPGqeJ5PacdBRtd8hdASuIdxinE3p2UAosHQFcrv0nVSSY+LavvJBSwjH
vcSIRcq4hm5+uhqAGRWCl7HR0hR47YUQIlRPO0CVLWVwa4o8UmE4+lQ0dHvDwZiT
q6Dy2tCB0c0MkjDMnqz1KvmddVbBQI7/6ARF9h8Yc6ddk5G7LR7IeXk9wf1EIBjz
C7In106nbDZqU1kIC6B7R+8pTJ8pK9fv34M3qzPYcxdsbsDaPL4KiAiFinFjGAfd
Pblsn/0ETpk=
=bIui
-----END PGP SIGNATURE-----
--XsQoSWH+UP9D9v3l--
