From: Nathan Einwechter (nathan@ontologystream.com)
Date: Thu Jan 06 2005 - 14:21:43 EST
A lot of these questions are extremely dependant on the client, their
network/systems and requirements from the pen-test, as well as the type
of pen-test. For example, the tests to conduct in an internal pen-test
(where you have an inventory and layout of the network and it's systems)
are going to be significantly different (read: more directed) than an
external blind test.
The same goes for the time span. This is highly dependant on how deep
the client wants you to go, and how large their networks are. This is
something that you need to feel out for yourself judged by your
experience. Typically, in medium sized businesses, no more than a week
or so should be required from initial meeting to final report.
Part of the contract for work to complete pen-testing includes an
agreement on what types of attacks are allowed. Typically these
contracts exclude the use of DoS attacks or attacks which will create
any downtime or performance issues for the normal operation of the
business.
If you're not able to not use DoS attacks against a client, than you
really have no place to be in the business.
-- Nathan Einwechter
-----Original Message-----
From: vivek_ece_iitg@yahoo.co.in [mailto:vivek_ece_iitg@yahoo.co.in]
Sent: Wednesday, January 05, 2005 11:49 PM
To: pen-test@securityfocus.com
Subject: How to start a Pen Test Consultancy ?
Hi All !
I am thinking of starting my own Pen Test consultancy.
Though i can (arguably ;-) ) say that i am quite adept
at penetration testing and ethical hacking, i am not
aware of a "standardised technique" to conduct an audit.
I would appreciate if someone can give me some pointers
on this. If i break up my earliar question into smaller
ones...i'd like to know the following :
1. What tests to conduct ?
what all to check ? servers, routers, switches, applications, social
engineering ??
2. Time Span ?
The ideal time span a pen tester should take to
conduct an audit ?
3. What if my audit leads to a dos on their website ?
i.e what are the do's and dont's when conducting
an audit on a live system ? best practises ?
legal stuff ?
4. Pen test report ?
what to include and what not ?
5. Money ;-) ?
How to determine a monetory equivalent for the
pen test conducted ? i.e how to bill the
customer ?? etc
6. If you can think of anything essential i missed
out ....please add !
I know i am almost asking you guys to write an "essay"
but i am sure this will be of help to lots of other
ppl who would one day like to start something of their
own.
Thanks in advance !
Vivek
Bangalore, India
(flames >> /dev/null)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT