Re: Penetration Test Assistance

["dennis" <dennis () justipit com>]

Tim,

In the past I've used high level diagrams to illustrate the overall network 
topology with individual tabs (drill down) per data center or POP.
The first step to assessing risk is to identify your assets.  I'd suggest 
performing a discovery of your network.  Keep in mind Pen tests are 
typically inconclusive of availability based threats DOS/DDOS (a very high 
risk today) and in fact specifically avoid tests which might cause 
degradation of service.   I'd suggest including volumetric network (tcp, 
udp), application floods (http get, post, etc. /dns query floods, etc.) and 
slow and low attacks.

Best of Luck,

Dennis

--------------------------------------------------
From: "Baklarz, Ron" <BaklarR () amtrak com>
Sent: Tuesday, June 05, 2012 12:41 PM
To: "Green, Timothy" <Timothy.Green () ManTech com>
Cc: <nanog () nanog org>
Subject: RE: Penetration Test Assistance

> Not discounting the need for network diagrams, there are also differing 
> approaches to pen testing.  One alternative is a sort of black-box 
> approach where the pen testers are given little or no advanced knowledge 
> of the network. It is up to them to 'discover' what they can through open 
> source means and commence their attacks from what they glean from their 
> intelligence gathering.  This way they are realistically mimicking the 
> hacker methodology.
>
> Ron Baklarz C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM
> Chief Information Security Officer
> Export Control Compliance Officer
> National Passenger Railroad Corporation (AMTRAK)
> 10 G Street, NE  Office 6E606
> Washington, DC 20002
> BaklarR () Amtrak com
>
> -----Original Message-----
> From: Green, Timothy [mailto:Timothy.Green () ManTech com]
> Sent: Tuesday, June 05, 2012 10:53 AM
> To: nanog () nanog org
> Subject: Penetration Test Assistance
>
> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest 
> next month and the testers are demanding a complete network diagram of the 
> entire network.  We don't have a "complete" network diagram that shows 
> everything and everywhere we are.  At most we have a bunch of network 
> diagrams that show what we have in various areas throughout the country. 
> I've been asking the network engineers for over a month and they seem to 
> be too lazy to put it together or they have no idea where everything is.
>
> I've never been in this situation before.  Should I be honest to the 
> testers and tell them here is what we have, we aren't sure if it's 
> accurate;  find everything else?  How would they access those areas that 
> we haven't identified?   How can I give them access to stuff that I didn't 
> know existed?
>
> What do you all do with your large networks?  One huge network diagram, a 
> bunch of network diagrams separated by region, or both?  Any pentest 
> horror stories?
>
> Thanks,
>
> Tim
>
> ________________________________
> This e-mail and any attachments are intended only for the use of the 
> addressee(s) named herein and may contain proprietary information. If you 
> are not the intended recipient of this e-mail or believe that you received 
> this email in error, please take immediate action to notify the sender of 
> the apparent error by reply e-mail; permanently delete the e-mail and any 
> attachments from your computer; and do not disseminate, distribute, use, 
> or copy this message and any attachments.