Re: PT Report delivery (caveats)

From: Gareth Davies (gareth.davies@mynetsec.com)
Date: Fri Mar 03 2006 - 06:17:12 EST

• Next message: Derek Nash: "VISA/Mastercard PCI Vendor Scanning requirements"
• Previous message: Philip Cox: "MQ Series ...."
• In reply to: johnny Mnemonic: "PT Report delivery (caveats)"
• Next in thread: Tim: "Re: PT Report delivery (caveats)"
• Reply: Tim: "Re: PT Report delivery (caveats)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

johnny Mnemonic wrote:
> Hi
>
> I'm interested in the group's feedback on the most accepted way to
> deliver a final PT report to a client. Best practices indicate that
> reports are only sent to a select group of people in each of the
> Red/White/blue teams, and docs are sent via encrypted email and/or the
> document itself encrypted with public/private keys exchanged at the
> start of the engagement. I've even heard that sending electronic
> copies of the report is a no-no and only a hardcopy should be couried.
> Could someone weight in on caveats and/or industry standards for
> report delivery?
>
> Also how would report delivery best practices from an internal pesting
> team differ (if at all) from that of a third party consulting outfit.
>
> Many thanks.

I send the full reports to only one person, whoever is the designated
contact point for that project, it's their responsibility to distribute
it within the company to whoever needs it.

Saying that I usually also send a ~3 page management summary type report
to the people who engaged us for the project as a summary, but I do this
in the same manner through the same contact, as those management are
unlikely to have encryption/decryption capabilities. So that person will
print it generally and pass it to the relevant people.

It's sent in soft-copy, PDF format, PGP encrypted with my private key,
my public key is of course provided to them.

Cheers

-- 
Gareth Davies - BS7799 LA, OPST
Manager - Security Practice
Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont’ Kiara, 50480
Kuala Lumpur, Malaysia 
Phone: +603-6203 5303 or +603-6203 5920
www.mynetsec.com
------------------------------------------------------------------------------
This List Sponsored by: Lancope
"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed 
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) 
and Response solution, leverages Cisco NetFlow to provide scalable, 
internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response 
Systems in the Enterprise."
http://www.lancope.com/resource/
------------------------------------------------------------------------------

• Next message: Derek Nash: "VISA/Mastercard PCI Vendor Scanning requirements"
• Previous message: Philip Cox: "MQ Series ...."
• In reply to: johnny Mnemonic: "PT Report delivery (caveats)"
• Next in thread: Tim: "Re: PT Report delivery (caveats)"
• Reply: Tim: "Re: PT Report delivery (caveats)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:35 EDT