From: Robert E. Lee (robert@dyadsecurity.com)
Date: Thu Nov 13 2003 - 13:02:20 EST
There is a great deal that can be done to flush this information out. I
would recommend a thorough investigation of the whois databases, dns
records (forward and reverse... the names can give away the machines
purpose), and very light port scanning (perhaps tcp 25,80,443). With
banner grabbing you'll find out limited OS/Application/Component
information to the applications involved. You can also look through
your website logs (browser client info) and your customer emails
(headers) for more passive insights.
Even though none of that is against the law (*in most places*, check
your regional laws thoroughly), I would at a minimum get customer verbal
consent first. The last thing you want to do is trip off an active IDS
rule update, win the deal, and sheepishly have to ask the customer to
unblock your testing machines :).
On a separate note, how comfortable are you in working with a customer
who expects you to price your services without giving you any insight
into the work load involved? Are they a non-informed buyer who needs
guidance? If so, be more proactive and ask the questions you need to
price the job correctly. If they are an informed buyer and want to give
as limited amounts of information as possible, offer to sign an NDA and
draft a contract that allows you to gather the information you need to
properly quote the service. Being proactive at that level should help
your chances in closing the deal.
Best of luck,
Robert
Robert E. Lee
CTO, www.dyadsecurity.com
3400 Irvine Ave, Building 118
Newport Beach, Ca 92660
T (800) 644-DYAD
F (949) 486-6001
robert@dyadsecurity.com
> -----Original Message-----
> From: a55mnky@yahoo.com [mailto:a55mnky@yahoo.com]
> Sent: Wednesday, November 12, 2003 12:48 PM
> To: pen-test@securityfocus.com
> Subject: pricing model for Pen-test
>
>
>
> We are responding to an RFP with very little detail - client has 6
class C
> networks. We have been given no information on how many hosts are
live on
> each and/or how many services are offered on any hosts. Any
suggestions
> on how to price the engagement - certainly there is a significant
> difference in effort between one web server per subnet and 100+ hosts
with
> multiple services on each.
>
> Thnaks in advance.
>
> a55mnky
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:42 EDT