Re: How to start a Pen Test Consultancy ?

From: Anders Thulin (Anders.Thulin_at_tietoenator.com)
Date: 01/10/05

  • Next message: rzaluski: "RE: Windows based DoS Tools?"
    Date: Mon, 10 Jan 2005 08:45:16 +0100
    To: vivek_ece_iitg@yahoo.co.in
    
    

    vivek_ece_iitg@yahoo.co.in wrote:

    > 1. What tests to conduct ?
    > what all to check ? servers, routers, switches, applications, social engineering ??

       The customer decides -- but will typically rely on you to provide
    a set of scenarios to choose from.

    > 2. Time Span ?
    >
    > The ideal time span a pen tester should take to
    > conduct an audit ?

       More important is 2. Terminology. When a customer asks you
    to do a pen test, do they have the slightest clue, or are they
    just repeating what the boss said, and he just repeated something
    his golf partner said? Will you do the 'pen test' scenario just
    because the customer uses that word? What if they asked for an
    'audit' -- do *they* know what you mean by that word? Do you know
    what *they* mean?

       Personally, I take 'audit' to mean the same thing it means
    in the economical world: a check that the organizations follows
    the rules it must follow and those it has set up for itself.
    It's not looking for vulnerabilities, or trying to exploit them.
    It's typically finding all IT security rules, and then check how
    they have been implemented or not, and also if there is anything
    that has been overlooked - that there should be rules for.

       Now that that is out of the way, 2. Time Span. So are you
    doing a pen-test, a vulnerability assessment, an audit, or something
    else? Typically, pen-tests and vulnerability assessments *must*
    be finished and reported in good time before anyone exploits
    the vulnerabilities that will be found.

    > 3. What if my audit leads to a dos on their website ?

       Yes, what if? You, as a knowledgeable tester has, of
    course warned the customer that testing does tend to find
    flaws, and can cause systems to crash. Do they accept the risk?
    And if they don't, do you still take it, or do you suggest
    another approach for those particular systems?

    > legal stuff ?

       That is a localization problem. It depends almost entirely
    on where you are. India, I suspect -- in which case I can
    only suggest that you get in touch with a legal advisor --
    someone who knows the legal situation in India or the specific
    state you are in.

    > 5. Money ;-) ?
    >
    > How to determine a monetory equivalent for the
    > pen test conducted ? i.e how to bill the
    > customer ?? etc

       This is also a localization problem. What kinds of company forms
    can you choose from, and what do they require? What tax rules
    do you have to follow? Again, find someone who knows the country
    or state where you plan to work from the 'starting a business'
    point of view.

    -
    Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
    TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö


  • Next message: rzaluski: "RE: Windows based DoS Tools?"

    Relevant Pages

    • RE: Vulnerability Assessment vs. PenTest
      ... similar to an inspection that only covers the past an audit is an ... Subject: Vulnerability Assessment vs. PenTest ... controls, is performed against the set standard or documented process. ...
      (Pen-Test)
    • Re: Comparing two rows
      ... I have an audit trail stored procedure to create. ... Customer and Customer_audit tables ... My report needs to compare the record in the customer table verses the ... the history row columns against the base row columns one after ...
      (comp.databases.oracle.misc)
    • RE: Vulnerability Assessment vs. PenTest
      ... It is a view at the moment of the audit which can and will most likeley change the moment after the auditor leaves. ... Subject: Vulnerability Assessment vs. PenTest ... controls, is performed against the set standard or documented process. ... A vulnerability assessment is an assessment and gap analysis of a site's ...
      (Pen-Test)
    • RE: Vulnerability Assessment vs. PenTest
      ... First, there are two types of Audit, internal and external. ... controls, is performed against the set standard or documented process. ... Audits are designed to provide an independent assessment through a ... A vulnerability assessment is an assessment and gap analysis of a site's ...
      (Pen-Test)
    • Redhat Enterprise Linux and your first born son...
      ... During the term of this Agreement and for one year thereafter, Customer ... Any such audit shall only take place ... prior written notice from Red Hat. ... non-compliance, and if a payment deficiency exists, then Customer shall have ...
      (alt.os.linux.redhat)