Thank you folks, this is very helpful information that will enable me to proceed in a more educated fashion.
I appreciate everybody's help. On Mon, Jun 9, 2014 at 7:27 PM, Shrdlu <[email protected]> wrote: > On 6/9/2014 3:50 PM, Evan Pettrey wrote: > >> Greetings folks, >> >> My company is currently in the process of obtaining a pentester to test >> security on our systems and one that a colleague of mine has recommended >> has asked us for the below information: >> > > - Public IPs >> - Public DNS records >> > > I see no reason not to provide those. It saves the testing team a few > minutes, and (unless you're VERY unusual) it's fairly easy to find out. > > - Network map of full infrastructure >> > > This one is different. Unless you're doing a two-pass assessment (and > you aren't, or you'd have said so), they should be able to gain this > information. The ONLY thing I'd do is to point out fragile machines > that shouldn't be hammered with NMAP and the like (certain expensive > printers might fall in this bucket). > > > To me this seems like sitting to take a test and having a cheatsheet. The >> IPs and DNS records should be easy enough to figure out on their own and >> the network map I don't believe should be provided. >> > > Am I just being too skeptical here or does this seem like inappropriate >> questions to ask as a security auditors? >> > > It depends. I'd want to know things like: > > How long it's expected to last? > How many people are on the team (if the answer is one, that's bad)? > How many years experience does the team have? > Is this a two pass (or more) assessment? [1] > Does it include social engineering? > Is there a formal presentation with results after it's over? > > You also don't say what *type* of data you're protecting. If it's > financial or medical there are extra rules (I suspect that it's not, > though). I've read the other (four, so far) answers, BTW, and think > they're also making useful points. > > No network map, in my opinion. If it were me, I'd just give them a > special look that said they'd made an error in judgment, and move > on. > > [1] Often a repeat assessment is done after security items are taken > care of, to make sure that they *are* and to make sure that there > aren't new ones. Also, sometimes a first pass is done, blind, and then a > second one is done with basic information. > > -- > Neca eos omnes. Deus suos agnoscet. > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
