[153399] in North American Network Operators' Group
Re: Penetration Test Assistance
daemon@ATHENA.MIT.EDU (Brett Watson)
Tue Jun 5 16:31:48 2012
From: Brett Watson <brett@the-watsons.org>
In-Reply-To: <CBE22E5FF427B149A272DD1DDE107524070D5B01@EX2K3.armc.org>
Date: Tue, 5 Jun 2012 13:31:02 -0700
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 5, 2012, at 11:34 AM, Darden, Patrick S. wrote:
>=20
> I'm with Barry--a network diagram showing everything from the pov of =
the pen team should be part of the end report.
Maybe, maybe not. It all depends on the scope of the engagement. I've =
had customers ask for very specific pen test of a group of servers, or =
specific applications, wherein they provide all the topology, system, =
and network info, and just want me to look at one specific area.
Then of course others want a "black box" assessment, wherein they don't =
tell you anything, and expect you to discover whatever you can discover.
I'm personally very specific about scoping, and just give the customer =
exactly what they want but you've got to "interview" each other to =
figure all of that out. And totally agree with a previous poster, you =
should always get a redacted or sample report to see what kind of =
quality you can expect in the finished product.
-b=
