Penetration Testing mailing list archives

Re: Penetration Testing Scheduling

From: "Robin Wood" <dninja () gmail com>
Date: Tue, 29 Apr 2008 08:45:43 +0100

2008/4/26  <Yousif () vapt-sec com>:

I've heard a lot of folks say that telling your customers exactly when you will begin the testing is  not suitable, 
but I'm not sure as to why they that... Can anyone define for me the right approach? -- Do you plan the assessment 
and let them know it's within a week or so, or do you simply inform them the date and time specifically?


I explain the options to the client and leave it up to them. The pros
for a specific time are that they can have people on standby or sat in
the office monitoring just in case things go wrong and that they don't
ignore a real attack going on at a different time assuming it is the
test. This is also a con as it means they are more prepared than usual
so doesn't give a "real" feel to the attack.

Another con is that they can tailor the network just for that attack,
for example, they could turn on those annoying firewall rules that
they know they should have on but don't usually because it slows the
network down a bit.

The pros of a random time within a given time period are that you
could catch them off guard and hit them at a weak time, 2AM say and
that they have to fully implement any little network/monitoring tweaks
rather than just turning them on for your attack. Cons, they don't
expect you so if something goes wrong you'll be testing their DR plan
as well.

I'm sure there are others but I'd say they were the main ones.

Explain those to the client and see what they want. My last job was
against a live web site and they said that it had to be overnight  on
a given week while there would be minimum real client access, no
arguments, I've had others that just said "whenever".

Robin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Penetration Testing Scheduling Yousif (Apr 28)
- Re: Penetration Testing Scheduling Dotzero (Apr 29)
- Re: Penetration Testing Scheduling Robin Wood (Apr 29)
- Re: Penetration Testing Scheduling arvind doraiswamy (Apr 29)
  - Re: Penetration Testing Scheduling Sat Jagat Singh (Apr 30)
- Re: Penetration Testing Scheduling Anders Thulin (Apr 29)
- <Possible follow-ups>
- Re: Penetration Testing Scheduling Yousif (Apr 29)
  - Re: Penetration Testing Scheduling Joey Peloquin (Apr 30)
  - Re: Penetration Testing Scheduling Todd Haverkos (Apr 30)
- Re: Re: Penetration Testing Scheduling zenmasterbob123 (Apr 30)