RE: PT Report delivery (caveats)

From: Anders Thulin (Anders.Thulin@tietoenator.com)
Date: Fri Mar 03 2006 - 02:43:54 EST


From: johnny Mnemonic [mailto:security4thefainthearted@hotmail.com]

> I'm interested in the group's feedback on the most accepted
> way to deliver a final PT report to a client.

  'Most accepted' ... why should that be important? You ask your
client about method of delivery ... and you comply. You may feel
compelled to warn about problems, but you don't make the decision.
(Unless you really do, of course.)

>Best practices indicate that reports are only sent to a select group
>of people in each of the Red/White/blue teams, and docs are sent
>via encrypted email and/or the document itself encrypted with
>public/private keys exchanged at the start of the engagement.

  Provided, of course, that there already is sufficient knowledge
about handling encrypted materials and protecting keys among
the recipients, and e-mail is considered a safe and reliable means
of delivery.

  E-mail is tricky ... you never know if the recipient has set up
some kind of automatic forwarding somewhere. You don't want
to discover that someone has ... and also happened to miswrite
the address so that the material is delivered to someone who should
not know. (There was a recent article in eWeek.com --
'Who's reading your text messages' -- about SMS messages in certain
cases being delivered to an internal testing account 'null' ... which was
then given to an ordinary subscriber who received all kinds of
'dead text messages'. You don't want any kind of delivery problem.)

  If the recipient is not already familiar with security practices, using
encryption or any other method that requires a certain amount of
training and experience to maintain is not a good idea. Hard-copy
is more intuitive that way ... no worry if someone may get a hard-copy
off some back-up tape three months later.)

> I've even heard that sending electronic copies of the report
> is a no-no and only a hardcopy should be couried. Could
> someone weight in on caveats and/or industry standards for
> report delivery?

  The owner of the information decides. Always. That is typically
the client, but it could be someone else in the same organization.
It's usually decided on when the project begins, and stated in
the project definition. If nothing else, company policy decides.

  If there is no policy, agree on how you will deliver the report,
confirm it in writing, and let the client/the owner do the dissemination.

> Also how would report delivery best practices from an
> internal pesting team differ (if at all) from that of a third
> party consulting outfit.

  If they do comparable work, that is, the reports are classified the same,
handling should be the same. If the material is reasonably highly classified,
the information owner will be the only one who decides on who need to know.

Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:35 EDT