Penetration Testing mailing list archives

RE: Papers prior to pen-test

From: "Steve Armstrong" <stevearmstrong () logicallysecure com>
Date: Tue, 19 Sep 2006 23:58:03 +0100

Maxime

You may have seen my post several weeks ago about a Vulnerability
Analysis methodology.  We are about 1 week from a release - version 0.2,
so still a 'rough work in progress' but hopefully a nod in the right
direction.  We rely upon checklists to ensure work is conducted
correctly, and often have embed checklists.  

Although slightly messed up format wise (for plain text) here is the
table for the pre testing analysis of the network before the Tester
starts the VA/Pen Testing:  I have posted this
(http://www.logicallysecure.com/forum/viewtopic.php?p=432) and other
snippets on the VAOST development part of our forum - constructive
comment is always welcome.  :-)
(http://www.logicallysecure.com/forum/viewforum.php?f=30 )


1       Non Disclosure Agreement (NDA)  
        To protect both tester and client

2       Contract to Test        
        A summary version (usually without pricing information) should
be      given to the Tester so they can carry it around when Testing
should  they be challenged (this saves tester time)

3       Logical Map (and Checklist)     
        The Checklists are so the Tester is confident that all aspects
of the  system have been mapped at the various levels

4       Network Map (and Checklist)     
        The Checklists are so the Tester is confident that all aspects
of the  system have been mapped at the various levels

5       Data and Information flow Map (and Checklist)   
        The Checklists are so the Tester is confident that all aspects
of the  system have been mapped at the various levels

6       Background Information Form     
        This it to allow the Tester to understand some of the details
discovered in Stage 1

7       Barrier to Risk Table   
        So the tester can understand what they need to have to gain
access to       data or information on target systems

8       Permission to Test from defined points  A list of points the
Tester  is authorized to test.

9       List of tests that should be performed  This list is taken from
the     Master Test List

10      List of areas of interest and specially requested tests  (from
Analyst)        What the analyst has identified as being of interest or
weak

11      Identify the Killer Questions   
        The points that the client is really looking to get answered.
The     tester must be aware of these so the Stage 3 report generation
has a   clear answer and these can be clearly placed in the report

12      Time Frame, IP Addresses and user accounts (as required)        
        So internal can be informed to not alert on the attacks and
unusual         traffic generated for the duration of the test

13      Point of Contact for incidents  
        So critical vulnerabilities or discovered evidence of attacks
can be  reported quickly

14      Point of Contact for Net access and support     
        So the tester can contact the SysAdmin to gain access to the
various         parts of the network quickly.

15      Previous VAOST Stage 3 report (if one exists)
        So the tester can check if previous problems have been addressed
and     to reduce testing time.

Like I said this is a v0.2 draft so please chip in if I have missed
anything - the VAOST will be an open source document (once I finish
spell checking it!)

Steve A
(nebs)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Maxime Ducharme
Sent: 19 September 2006 16:47
To: pen-test () securityfocus com
Subject: Papers prior to pen-test


Hello guys

I'm looking for examples of a kind of "contract" prior
to a pen-test, I mean writing down responsabilities
for each parties before doing a pen-test in case anything
goes wrong.

Any ideas ?

TIA
 
Maxime Ducharme



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Current thread:

Papers prior to pen-test Maxime Ducharme (Sep 19)
- RE: Papers prior to pen-test Bud Gordon (Sep 19)
  - RE: Papers prior to pen-test jgervacio (Sep 19)
  - Re: Papers prior to pen-test Eoin (Sep 20)
- RE: Papers prior to pen-test Steve Armstrong (Sep 19)
- RE: Papers prior to pen-test Maxime Ducharme (Sep 21)