Penetration Testing mailing list archives
[PEN-TEST] Lots of questions...my first paid pen-test.
From: Shaun Dewberry <shaun () axsys co za>
Date: Mon, 4 Dec 2000 10:13:04 +0200
Hi, Maybe this post should be broken into separate threads. I leave that to the moderator and others to decide. I'm due to perform a pen-test early January for a rather large company. Just have a couple of questions as this will be my first official pen-test. 1) What is the usual team size used when performing a pen-test? 2) Do you prefer to test from a fixed or dynamic IP? 3) What sort of logging of activities takes place? How in depth should the logs be and does anyone have references or examples of pen-test logs? Are any specific tools (i.e. keystroke monitors) used during the test? 4) Do you usually have a third-party/company representative present during the testing process? (i.e. for auditing purposes) 5) Are any trophies taken off machines that are vulnerable to attack? This also brings up the question of whether non-destructive exploits should be run against a known-to-be-vulnerable target. 6) Costing and Fees - How is a quotation for the assessment compiled. Obviously it is relative to the size of the organization and the number of machines scanned, out are there any other determining factors that should affect price? e.g. according to OS, machine type & value, value of information on machine... Any example/old/used/whatever quotes out there which I can get an idea from? In South Africa, pen-testing is an unknown service with no baseline standards / recommendations available. 7) In the event of a physical pen-test, should this take place before or after the online test? Thanks for your help. If u have any other relevant tips I'd appreciate it. Shaun Dewberry ============================== Axsys IT Solutions Tel: +27 11 395 3310 Cell: +27 83 415 5201 Email:shaun () axsys co za Personal:shaun () dewberry co za
Current thread:
- [PEN-TEST] Lots of questions...my first paid pen-test. Shaun Dewberry (Dec 05)
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Iván Arce (Dec 05)
- <Possible follow-ups>
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Chris Tobkin (Dec 05)
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Carskadden, Rush (Dec 06)