Re: Penetration Testing Scheduling

2008/4/26 <Yousif@xxxxxxxxxxxx>:
I've heard a lot of folks say that telling your customers exactly when you will begin the testing is not suitable, but I'm not sure as to why they that... Can anyone define for me the right approach? -- Do you plan the assessment and let them know it's within a week or so, or do you simply inform them the date and time specifically?

I explain the options to the client and leave it up to them. The pros
for a specific time are that they can have people on standby or sat in
the office monitoring just in case things go wrong and that they don't
ignore a real attack going on at a different time assuming it is the
test. This is also a con as it means they are more prepared than usual
so doesn't give a "real" feel to the attack.

Another con is that they can tailor the network just for that attack,
for example, they could turn on those annoying firewall rules that
they know they should have on but don't usually because it slows the
network down a bit.

The pros of a random time within a given time period are that you
could catch them off guard and hit them at a weak time, 2AM say and
that they have to fully implement any little network/monitoring tweaks
rather than just turning them on for your attack. Cons, they don't
expect you so if something goes wrong you'll be testing their DR plan
as well.

I'm sure there are others but I'd say they were the main ones.

Explain those to the client and see what they want. My last job was
against a live web site and they said that it had to be overnight on
a given week while there would be minimum real client access, no
arguments, I've had others that just said "whenever".

Robin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • [NEWS] Seti@home information leakage and remote compromise
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... All information is sent in plaintext across the network. ... very useful to a malicious person planning an attack on a network. ... overly large string followed by a newline character to the client ...
    (Securiteam)
  • RE: Lost my outlook contact... :(
    ... the network configuration is started from a web page located ... client computer, you will see a welcome page to invite you to start the ... local user profiles to the domain user profile. ... Before joining client computers to the network, ...
    (microsoft.public.windows.server.sbs)
  • Re: SMS 2.0 and SMS 2003 Running at same time in same domain.
    ... the clients are on the network. ... The operating system reported error 53: ... Possible cause: The client is offline. ... Verify that the client is connected to the network and that the SMS ...
    (microsoft.public.sms.setup)
  • RE: Printing from Win9x clients stops
    ... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)