From: Frank Knobbe (frank@knobbe.us)
Date: Fri Dec 19 2003 - 23:51:00 EST
On Fri, 2003-12-19 at 09:37, H Carvey wrote:
> >> I have a question on customer disclosure. Is it wise to tell the
> >customer which IP addresses you'll be
> >using before starting pen tests?
>
> The way I've seen this handled is through the contract.
That's one way. Typically though you have a standard contract. It is
absolutely fine to just supply the address casually in a memo or email.
(Or not at all if their admins and response team are to be pentested :)
> >> How do testers distribute a test amongst multiple people?
>
> It depends on how you're organized, the amount of time you have, and
> the skills of your staff. Some folks may go after low-hanging fruit
> such as web or ftp servers, while others may be tasked with continual
> network mapping.
Yeah, depends would also be my answer of choice. Although I've been
doing pentests for a long time now, I still enjoy and actually prefer
working in a tag-team setup. Being paired with an equal pentester
provides a team where one can play off the accomplishments of the other.
One might find something that the other can take further. After all, two
brains think better than one (or something like that). It's not so much
an enjoyable competition between the testers (who can break in faster),
but an enjoyable.... well... tag-team (who can first exploit the hole
that the peer found, providing the peer with more info). Being in
constant communication (encrypted IM) is very helpful. In addition, you
almost always have specialties, and using a team, one can a) learn new
tricks from the other, and b) complement the skill set of the other so
that the goal can be achieved faster. No one knows it all. Everyone of
use is always learning something new. That's the beauty of the field
we're in. :)
Regards,
Frank
PS: Greetings to Stephen! ;)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT