Penetration Testing mailing list archives
RE: How to start a Pen Test Consultancy ?
From: "Nathan Einwechter" <nathan () ontologystream com>
Date: Thu, 6 Jan 2005 11:21:43 -0800
A lot of these questions are extremely dependant on the client, their network/systems and requirements from the pen-test, as well as the type of pen-test. For example, the tests to conduct in an internal pen-test (where you have an inventory and layout of the network and it's systems) are going to be significantly different (read: more directed) than an external blind test. The same goes for the time span. This is highly dependant on how deep the client wants you to go, and how large their networks are. This is something that you need to feel out for yourself judged by your experience. Typically, in medium sized businesses, no more than a week or so should be required from initial meeting to final report. Part of the contract for work to complete pen-testing includes an agreement on what types of attacks are allowed. Typically these contracts exclude the use of DoS attacks or attacks which will create any downtime or performance issues for the normal operation of the business. If you're not able to not use DoS attacks against a client, than you really have no place to be in the business. -- Nathan Einwechter -----Original Message----- From: vivek_ece_iitg () yahoo co in [mailto:vivek_ece_iitg () yahoo co in] Sent: Wednesday, January 05, 2005 11:49 PM To: pen-test () securityfocus com Subject: How to start a Pen Test Consultancy ? Hi All ! I am thinking of starting my own Pen Test consultancy. Though i can (arguably ;-) ) say that i am quite adept at penetration testing and ethical hacking, i am not aware of a "standardised technique" to conduct an audit. I would appreciate if someone can give me some pointers on this. If i break up my earliar question into smaller ones...i'd like to know the following : 1. What tests to conduct ? what all to check ? servers, routers, switches, applications, social engineering ?? 2. Time Span ? The ideal time span a pen tester should take to conduct an audit ? 3. What if my audit leads to a dos on their website ? i.e what are the do's and dont's when conducting an audit on a live system ? best practises ? legal stuff ? 4. Pen test report ? what to include and what not ? 5. Money ;-) ? How to determine a monetory equivalent for the pen test conducted ? i.e how to bill the customer ?? etc 6. If you can think of anything essential i missed out ....please add ! I know i am almost asking you guys to write an "essay" but i am sure this will be of help to lots of other ppl who would one day like to start something of their own. Thanks in advance ! Vivek Bangalore, India (flames >> /dev/null)
Current thread:
- How to start a Pen Test Consultancy ? vivek_ece_iitg (Jan 06)
- RE: How to start a Pen Test Consultancy ? Chuck Fullerton (Jan 06)
- RE: How to start a Pen Test Consultancy ? Nathan Einwechter (Jan 06)
- Re: How to start a Pen Test Consultancy ? Anders Thulin (Jan 10)
- <Possible follow-ups>
- RE: How to start a Pen Test Consultancy ? Schisler Isaiah (Jan 06)
- RE: How to start a Pen Test Consultancy ? Tyler Markowsky (Jan 06)