Penetration Testing mailing list archives
Re: pentest documentation
From: "Ben Anderson" <hawklan () iastate edu>
Date: Tue, 3 Oct 2006 13:49:47 -0500 (CDT)
I want to document the pentest process in detail, not only for thecustomer, but for later reviews and to avoid legal difficulties.If I knew you were keeping pentest info on my company I wouldn't hire you. Keeping that data around makes you a target for all your customers.
This is a good point. There are conflicting interests with you and your customer. The customer wants to keep the data private, so they will want you to destroy the data or turn it over to them. However, you need that data for review purposes and/or to legally cover yourself. For the legal issues, I see two possibilities. The first is that you could turn the data over to them in exchange for signing some sort of waiver or other document stating that they can't take legal action against you. (Whether this is sufficient is a question for your lawyer.) Second, you could agree to archive the data with someone like Iron Mountain that will guarantee the security of the physical media. Then you can simply sign a document that has the hash values on it and everyone gets a copy for their records. (I would use SHA-2 since SHA-1 and MD5 are broken.) For reviewing purposes, the client may agree to let you keep the data as long as it is anonymized. This is hard to do properly, and may destroy the data you want to review, but would be better than nothing. You may also be able to get the customer to agree to you delivering or destroying the data within 30 days, which should be enough time to review it. Now, to collect the data, there are two parts to this problem. The first is what you are doing; so I would record the session using whatever screen capture software is available. I say screen capture since it will cover both CLI and GUI commands you use. The second part is monitoring what the tools are doing. This would require any logs from the tool itself and the network traffic generated. The tool should cover the logging part and you can use Wireshark for the network side. Benjamin Anderson Ph.D. Student Department of Electrical and Computer Engineering Iowa State University hawklan () iastate edu ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: pentest documentation, (continued)
- Re: pentest documentation Jürgen R. Plasser (Oct 03)
- Re: pentest documentation Andrew Hay (Oct 02)
- Re: pentest documentation espen (Oct 02)
- Re: pentest documentation Gareth Davies (Oct 02)
- Re: pentest documentation Sol Invictus (Oct 02)
- Re: pentest documentation Tonnerre Lombard (Oct 03)
- RE: pentest documentation Jason M Frey (Oct 03)
- Re: Re: pentest documentation krymson (Oct 02)
- Re: pentest documentation David Ball (Oct 03)
- RE: Re: pentest documentation William Woodhams (Oct 03)
- Re: pentest documentation Ben Anderson (Oct 03)