It also helps them to be sure they're only scanning your network and not accidentally some other.
> On Jun 9, 2014, at 6:41 PM, Evan Pettrey <[email protected]> wrote: > > Thank you folks, this is very helpful information that will enable me to > proceed in a more educated fashion. > > I appreciate everybody's help. > > >> On Mon, Jun 9, 2014 at 7:27 PM, Shrdlu <[email protected]> wrote: >>> On 6/9/2014 3:50 PM, Evan Pettrey wrote: >>> Greetings folks, >>> >>> My company is currently in the process of obtaining a pentester to test >>> security on our systems and one that a colleague of mine has recommended >>> has asked us for the below information: >> >>> - Public IPs >>> - Public DNS records >> >> I see no reason not to provide those. It saves the testing team a few >> minutes, and (unless you're VERY unusual) it's fairly easy to find out. >> >>> - Network map of full infrastructure >> >> This one is different. Unless you're doing a two-pass assessment (and >> you aren't, or you'd have said so), they should be able to gain this >> information. The ONLY thing I'd do is to point out fragile machines >> that shouldn't be hammered with NMAP and the like (certain expensive >> printers might fall in this bucket). >> >> >>> To me this seems like sitting to take a test and having a cheatsheet. The >>> IPs and DNS records should be easy enough to figure out on their own and >>> the network map I don't believe should be provided. >> >>> Am I just being too skeptical here or does this seem like inappropriate >>> questions to ask as a security auditors? >> >> It depends. I'd want to know things like: >> >> How long it's expected to last? >> How many people are on the team (if the answer is one, that's bad)? >> How many years experience does the team have? >> Is this a two pass (or more) assessment? [1] >> Does it include social engineering? >> Is there a formal presentation with results after it's over? >> >> You also don't say what *type* of data you're protecting. If it's >> financial or medical there are extra rules (I suspect that it's not, >> though). I've read the other (four, so far) answers, BTW, and think >> they're also making useful points. >> >> No network map, in my opinion. If it were me, I'd just give them a >> special look that said they'd made an error in judgment, and move >> on. >> >> [1] Often a repeat assessment is done after security items are taken >> care of, to make sure that they *are* and to make sure that there >> aren't new ones. Also, sometimes a first pass is done, blind, and then a >> second one is done with basic information. >> >> -- >> Neca eos omnes. Deus suos agnoscet. >> >> _______________________________________________ >> Discuss mailing list >> [email protected] >> https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >> This list provided by the League of Professional System Administrators >> http://lopsa.org/ > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
