Re: [PEN-TEST] Lots of questions...my first paid pen-test.

[Iván Arce <core.lists.pentest () CORE-SDI COM>]

Hi Shaun,
 ill try to address your questions with the information you provided...

----- Original Message -----
From: "Shaun Dewberry" <shaun () AXSYS CO ZA>
Newsgroups: core.lists.pentest
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Monday, December 04, 2000 7:13 PM
Subject: [PEN-TEST] Lots of questions...my first paid pen-test.


> Hi,
> Maybe this post should be broken into separate threads. I leave that to
the
> moderator and others to decide.
>
> I'm due to perform a pen-test early January for a rather large company.
Just
> have a couple of questions as this will be my first official pen-test.
>
>  1) What is the usual team size used when performing a pen-test?

We'll that depends completly on the size of the infraestructure to test
 (i.e. a class B net, a class C, just a few boxes, etc), the distributed
nature of it (i.e.  just one corporate net, several branches, colocated
sites,
etc.), the time requirements of the customer (is there a deadline for the
test, are there other dates that affect the pentest, etc.) and finally the
degree of deepness (sp?) of the test (is it just an external test aimed at
common Net and Os vulns?, does it include an internal attacker scenario?
 does it include an application specific test? source code review? etc.)

Depending on the above factors we generally go with between 2 and 5
persons. The only rule i apply here is:

  Never do a pen test with just one person, no matter how small and
  or easy the job seems to be.

As with  software development, cryptoanalysis and source code review,
in a pen test pier review is a must. What a person misses the others will
find and that will increase the overall quality of the job.
and...it will also help develop a team work culture in your pen testing
 company :)

>  2) Do you prefer to test from a fixed or dynamic IP?
fixed, helps them keep track of what you are doing, and identify
 possible attacks that are not part of the pentest, also i helps them
 limit access (when required) to their IT from just one IP...

>  3) What sort of logging of activities takes place? How in depth should
the
> logs be and does anyone have references or examples of pen-test logs? Are
> any specific tools (i.e. keystroke monitors) used during the test?

We generally log the complete sessions of each member of the team, this
is useful for the reporting stage, so you can go back and review the logs in
order to clarify doubts while writting reports. So far we have not been
asked to provide complete logs of the team's work, and altho. i see no
real value in providing them that could be a customer's requirement.
We use publicly available tools for this (syslog output, general daemons
 logs, script(1), etc.)

>  4) Do you usually have a third-party/company representative present
during
> the  testing process? (i.e. for auditing purposes)

No.
And you dont want them either
The customer have to start the project with a mindset that implies a trust
relationship with you, if they need someone else to audit you in order to
start trusting you, there was something wrong in the pre-sale/sale stage
of the pentest. There are other ways to provide the customer with
coverage that will lower their risk and increase their trust  like
NDAs, professional liability insurance and other sorts of legalise.
If having an third party auditing your work is a MUST i would require
a very precise definition of what the auditors will and will not do, and how
they are going to report on your work (on what basis they will say what you
have done is OK or not) and which information they are intitled to access.
Again, legalise with the third party is in order here to protect you from
disclosure on their side, using their auditor role to obtain your
methodology
and team's know-how, etc.

>  5) Are any trophies taken off machines that are vulnerable to attack?
This

if the reports (status reports and final one) are done properly, with
both technical and non-technical explanations of what was done and
what was discovered, the customer rarely needs 'trophies' and they provide
no added value to the job.

> also brings up the question of whether non-destructive exploits should be
> run against a known-to-be-vulnerable target.

we always use non-destructive exploits, DoS attacks are coordinated and
agreed on with the higher level contact from the customer.

>  6) Costing and Fees - How is a quotation for the assessment compiled.
> Obviously it is relative to the size of the organization and the number of
> machines scanned, out are there any other determining factors that should
> affect price? e.g. according to OS, machine type & value, value of
> information on machine... Any example/old/used/whatever quotes out there
> which I can get an idea from? In South Africa, pen-testing is an unknown
> service with no baseline standards / recommendations available.

we just calculate a quotation based on the info of question 1
and very few other things (is it done remotely? does the
customer pay for travel and lodging expenses  if not? etc.)
it generally comes down to the resources we are allocating for the
job not with IT infraestructure specifics.

> 7) In the event of a physical pen-test, should this take place before or
> after the online test?

i dont think this make a big difference. Its a matter of discussion with the
 customer, whatever fits them better.

i hope this helps,

-ivan

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================



--- For a personal reply use iarce () core-sdi com