Re: Penetration Test Assistance

[William Herrin <bill () herrin us>]

On 6/5/12, Green, Timothy <Timothy.Green () mantech com> wrote:
> I'm a Security Manager of a large network, we are conducting a Pentest next
> month and the testers are demanding a complete network diagram of the entire
> network.  We don't have a "complete" network diagram that shows everything
> and everywhere we are.  At most we have a bunch of network diagrams that
> show what we have in various areas throughout the country. I've been asking
> the network engineers for over a month and they seem to be too lazy to put
> it together or they have no idea where everything is.
>
> I've never been in this situation before.  Should I be honest to the testers
> and tell them here is what we have, we aren't sure if it's accurate;  find
> everything else?

Tim,

Your system is what it is, including any defects in configuration
management. Provide the testers with what you have, give them contact
info for the engineers so they can ask questions and specify that you
expect strengths and weaknesses in configuration management which
impact system security to be reflected in their report.

Regards,
Bill Herrin



-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004