Re: [PEN-TEST] Lots of questions...my first paid pen-test.

[Chris Tobkin <tobkin () INTERSEC COM>]

Well, I'll give this one a whack.

> 1) What is the usual team size used when performing a pen-test?

Depends on how many people the company is willing to pay for and what their
goals are.  Most times just one or two because they just want to find out
what their problems are.  If they are looking for incident response testing
of their techies and are willing to pay for Tiger-team style, then it
depends on how large you can get the group and have it still quickly and
effectively share the results as they come in.  In my experience about 5 or
6 in a small room with a lot of whiteboard space.

> 2) Do you prefer to test from a fixed or dynamic IP?

I'll interpret this as "single or multiple IP addresses".  (IMHO, you should
always scan from an IP that you own and control -- most effective to have a
few IP's on different service providers)  It depends if they're trying to
find out whether their logs effectively identify an attack, or if their
policies and procedures effectively stop an attacker when coming from
multiple addresses.  Again, all depends on WHY they want a pen-test.  FYI,
if you scan from a cablemodem or home DSL modem, don't be surprised if a
techie catches this, says you're small beans, and doesn't use you again.
You'll also want to make sure your ISP a) knows that you're legitimately
doing this and won't shut you off if it's reported to them, and b) doesn't
have a policy against it.

> 3) What sort of logging of activities takes place? How in depth
> should the logs be and does anyone have references or examples of
> pen-test logs? Are any specific tools (i.e. keystroke monitors) used
> during the test?

All depends on what you think your risk of being sued because you
(incidentally) cause a denial of service or will be sued because they are
intruded upon and you cannot prove it was not you.  One may record each
packet we send and receive to a client.  That data is then dumped to tape
and stored in a locked safe for about 6 months then destroyed.

> 4) Do you usually have a third-party/company representative present
> during the testing process? (i.e. for auditing purposes)

For what purpose?

> 5) Are any trophies taken off machines that are vulnerable to attack?
> This also brings up the question of whether non-destructive exploits >
should be run against a
> known-to-be-vulnerable target.

Depends on what the client wants.  It has more shock value when you
show/tell them information they thought you'd never be able to get, but
pulling that data across the internet is probably a bad thing.  In addition,
if you posess that information at any point in time and it's later
circulated, you may have a legal problem on your hands trying to prove that
it wasn't you that made it public.

> 6) Costing and Fees - How is a quotation for the assessment compiled.
> Obviously it is relative to the size of the organization and the
> number of machines scanned, out are there any other determining
> factors that should affect price? e.g. according to OS, machine type
> & value, value of information on machine... Any
> example/old/used/whatever quotes out there
> which I can get an idea from? In South Africa, pen-testing is an
> unknown service with no baseline standards / recommendations
> available.

Depends on what you're willing to settle for and they're willing to pay.  I
know we should be charging triple what we are, but we get a lot of repeat
business for recurring tests and companies aren't willing to pay what we
should be charging.

> 7) In the event of a physical pen-test, should this take place before or
> after the online test?

I'd suggest before -- reason being that one could take the information
gleaned from a blind physical test and leverage it during the online test.
Some companies will give you their network diagram, some will want you to do
it blind and show them what you come up with.  I know a few companies told
us that if we didn't find enough during the initial information gathering
phase, they'd have booted us out right then and there.

// Chris
tobkin () intersec com