nanog mailing list archives
RE: Penetration Test Assistance
From: "Baklarz, Ron" <BaklarR () amtrak com>
Date: Tue, 5 Jun 2012 12:41:38 -0400
Not discounting the need for network diagrams, there are also differing approaches to pen testing. One alternative is a sort of black-box approach where the pen testers are given little or no advanced knowledge of the network. It is up to them to 'discover' what they can through open source means and commence their attacks from what they glean from their intelligence gathering. This way they are realistically mimicking the hacker methodology. Ron Baklarz C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM Chief Information Security Officer Export Control Compliance Officer National Passenger Railroad Corporation (AMTRAK) 10 G Street, NE Office 6E606 Washington, DC 20002 BaklarR () Amtrak com -----Original Message----- From: Green, Timothy [mailto:Timothy.Green () ManTech com] Sent: Tuesday, June 05, 2012 10:53 AM To: nanog () nanog org Subject: Penetration Test Assistance Howdy all, I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is. I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed? What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories? Thanks, Tim ________________________________ This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.
Current thread:
- Re: Penetration Test Assistance, (continued)
- Re: Penetration Test Assistance Andrew Latham (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Jason 'XenoPhage' Frisvold (Jun 05)
- Re: Penetration Test Assistance Brett Watson (Jun 05)
- Re: Penetration Test Assistance Bacon Zombie (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Andrew Latham (Jun 05)
- Re: Penetration Test Assistance Justin M. Streiner (Jun 05)
- Re: Penetration Test Assistance jim deleskie (Jun 05)
- Re: Penetration Test Assistance Joel jaeggli (Jun 05)
- Re: Penetration Test Assistance Quinn Kuzmich (Jun 05)
- RE: Penetration Test Assistance Baklarz, Ron (Jun 05)
- Re: Penetration Test Assistance dennis (Jun 05)
- Re: Penetration Test Assistance William Herrin (Jun 05)
- Re: Penetration Test Assistance Aled Morris (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Barry Greene (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Harry Hoffman (Jun 05)
- Re: Penetration Test Assistance Brett Watson (Jun 05)
- RE: Penetration Test Assistance Darden, Patrick S. (Jun 05)
- Re: Penetration Test Assistance Leo Bicknell (Jun 05)