Penetration Testing mailing list archives
Re: How to start a Pen Test Consultancy ?
From: Anders Thulin <Anders.Thulin () tietoenator com>
Date: Mon, 10 Jan 2005 08:45:16 +0100
vivek_ece_iitg () yahoo co in wrote:
1. What tests to conduct ? what all to check ? servers, routers, switches, applications, social engineering ??
The customer decides -- but will typically rely on you to provide a set of scenarios to choose from.
2. Time Span ?The ideal time span a pen tester should take to conduct an audit ?
More important is 2. Terminology. When a customer asks you to do a pen test, do they have the slightest clue, or are they just repeating what the boss said, and he just repeated something his golf partner said? Will you do the 'pen test' scenario just because the customer uses that word? What if they asked for an 'audit' -- do *they* know what you mean by that word? Do you know what *they* mean? Personally, I take 'audit' to mean the same thing it means in the economical world: a check that the organizations follows the rules it must follow and those it has set up for itself. It's not looking for vulnerabilities, or trying to exploit them. It's typically finding all IT security rules, and then check how they have been implemented or not, and also if there is anything that has been overlooked - that there should be rules for. Now that that is out of the way, 2. Time Span. So are you doing a pen-test, a vulnerability assessment, an audit, or something else? Typically, pen-tests and vulnerability assessments *must* be finished and reported in good time before anyone exploits the vulnerabilities that will be found.
3. What if my audit leads to a dos on their website ?
Yes, what if? You, as a knowledgeable tester has, of course warned the customer that testing does tend to find flaws, and can cause systems to crash. Do they accept the risk? And if they don't, do you still take it, or do you suggest another approach for those particular systems?
legal stuff ?
That is a localization problem. It depends almost entirely on where you are. India, I suspect -- in which case I can only suggest that you get in touch with a legal advisor -- someone who knows the legal situation in India or the specific state you are in.
5. Money ;-) ?How to determine a monetory equivalent for the pen test conducted ? i.e how to bill the customer ?? etc
This is also a localization problem. What kinds of company forms can you choose from, and what do they require? What tax rules do you have to follow? Again, find someone who knows the country or state where you plan to work from the 'starting a business' point of view. - Anders Thulin anders.thulin () tietoenator com 040-661 50 63 TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
Current thread:
- How to start a Pen Test Consultancy ? vivek_ece_iitg (Jan 06)
- RE: How to start a Pen Test Consultancy ? Chuck Fullerton (Jan 06)
- RE: How to start a Pen Test Consultancy ? Nathan Einwechter (Jan 06)
- Re: How to start a Pen Test Consultancy ? Anders Thulin (Jan 10)
- <Possible follow-ups>
- RE: How to start a Pen Test Consultancy ? Schisler Isaiah (Jan 06)
- RE: How to start a Pen Test Consultancy ? Tyler Markowsky (Jan 06)