RE: How to start a Pen Test Consultancy ?

["Chuck Fullerton" <chuckf69 () ceinetworks com>]

www.isecom.org

Check out the OSSTMM.

Chuck F. 

-----Original Message-----
From: vivek_ece_iitg () yahoo co in [mailto:vivek_ece_iitg () yahoo co in] 
Sent: Thursday, January 06, 2005 2:49 AM
To: pen-test () securityfocus com
Subject: How to start a Pen Test Consultancy ?



Hi All !



I am thinking of starting my own Pen Test consultancy.

Though i can (arguably ;-) ) say that i am quite adept

at penetration testing and ethical hacking, i am not 

aware of a "standardised technique" to conduct an audit.



I would appreciate if someone can give me some pointers

on this. If i break up my earliar question into smaller

ones...i'd like to know the following :



1. What tests to conduct ? 

  what all to check ? servers, routers, switches, applications, social
engineering ?? 



2. Time Span ?

  The ideal time span a pen tester should take to 

  conduct an audit ?



3. What if my audit leads to a dos on their website ?

  i.e what are the do's and dont's when conducting

  an audit on a live system ? best practises ? 

  legal stuff ? 



4. Pen test report ? 

   what to include and what not ?



5. Money ;-) ?

   How to determine a monetory equivalent for the 

   pen test conducted ? i.e how to bill the 

   customer ?? etc 



6. If you can think of anything essential i missed

out ....please add !



I know i am almost asking you guys to write an "essay"

but i am sure this will be of help to lots of other 

ppl who would one day like to start something of their 

own.



Thanks in advance ! 



Vivek



Bangalore, India



(flames >> /dev/null)