As Matt says, there are two different types of tests.
If you just want to find out if they can find _A_ way into your system, give
them no information (far too many will stop after they find the first way in
anyway)
If you want to have them find _ALL_ the ways into your system, give them as much
information as you possibly can, it avoids having you pay them to discover that
information, and instead the time that you are paying for should be spent
analysing all the ways to exploit your system.
That information is also far easier to find than you would think. Even stuff
like what versions of software you are running can be found based on what
questions your staff ask on support mailing lists.
If you get a company who just uses the information to find a single way in and
then argues that "it only takes one", you wasted your money and really need
another company to do the job.
David Lang
On Mon, 9 Jun 2014, Matt Disney wrote:
I've had different experiences than Yves. I've never had that info used against
me in that way exactly (but more on this below). Here's my two cents.
It isn't uncommon for pen testers to ask for this info. If you really want to
maximize the experience of having someone tell you what your weaknesses are,
there's no good reason not to give them this.
However, pen testers can do a blind test, where you don't give them any info.
This is also testing you but is more of an evaluation of the tester as well.
That evaluation can indeed be valuable in interpreting the results, but not
necessarily.
Yves' point about having info used against you is valid, though. If this is
something you are commissioning to help you be better, I recommend sharing the
info. However, if this is commissioned by someone else and will be an
error-prone and misconstrued assessment/audit used as a hammer, consider asking
for a blind test to level the playing field.
Matt
On Jun 9, 2014, at 18:58, Yves Dorfsman <[email protected]> wrote:
On 2014-06-09 16:50, Evan Pettrey wrote:
My company is currently in the process of obtaining a pentester to test
security on our systems and one that a colleague of mine has recommended has
asked us for the below information:
* Public IPs
* Public DNS records
* Network map of full infrastructure
To me this seems like sitting to take a test and having a cheatsheet. The IPs
and DNS records should be easy enough to figure out on their own and the
network map I don't believe should be provided.
Am I just being too skeptical here or does this seem like inappropriate
questions to ask as a security auditors?
No, you're not. This is a classic, they ask you for as much details as possible
that might not look too suspicious, then highlight the fact you gave so much
details to a stranger as a security issue (which it would be).
--
Yves.
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
