[PEN-TEST] Lots of questions...my first paid pen-test.

[Shaun Dewberry <shaun () axsys co za>]

Hi,
Maybe this post should be broken into separate threads. I leave that to the
moderator and others to decide.

I'm due to perform a pen-test early January for a rather large company. Just
have a couple of questions as this will be my first official pen-test.

 1) What is the usual team size used when performing a pen-test?

 2) Do you prefer to test from a fixed or dynamic IP?

 3) What sort of logging of activities takes place? How in depth should the
logs be and does anyone have references or examples of pen-test logs? Are
any specific tools (i.e. keystroke monitors) used during the test?

 4) Do you usually have a third-party/company representative present during
the  testing process? (i.e. for auditing purposes)

 5) Are any trophies taken off machines that are vulnerable to attack? This
also brings up the question of whether non-destructive exploits should be
run against a known-to-be-vulnerable target.

 6) Costing and Fees - How is a quotation for the assessment compiled.
Obviously it is relative to the size of the organization and the number of
machines scanned, out are there any other determining factors that should
affect price? e.g. according to OS, machine type & value, value of
information on machine... Any example/old/used/whatever quotes out there
which I can get an idea from? In South Africa, pen-testing is an unknown
service with no baseline standards / recommendations available.

7) In the event of a physical pen-test, should this take place before or
after the online test?

Thanks for your help. If u have any other relevant tips I'd appreciate it.

Shaun Dewberry
==============================
Axsys IT Solutions
Tel: +27 11 395 3310
Cell: +27 83 415 5201
Email:shaun () axsys co za
Personal:shaun () dewberry co za