Penetration Testing mailing list archives
Re: Penetration Testing Scheduling
From: "Robin Wood" <dninja () gmail com>
Date: Tue, 29 Apr 2008 08:45:43 +0100
2008/4/26 <Yousif () vapt-sec com>:
I've heard a lot of folks say that telling your customers exactly when you will begin the testing is not suitable, but I'm not sure as to why they that... Can anyone define for me the right approach? -- Do you plan the assessment and let them know it's within a week or so, or do you simply inform them the date and time specifically?
I explain the options to the client and leave it up to them. The pros for a specific time are that they can have people on standby or sat in the office monitoring just in case things go wrong and that they don't ignore a real attack going on at a different time assuming it is the test. This is also a con as it means they are more prepared than usual so doesn't give a "real" feel to the attack. Another con is that they can tailor the network just for that attack, for example, they could turn on those annoying firewall rules that they know they should have on but don't usually because it slows the network down a bit. The pros of a random time within a given time period are that you could catch them off guard and hit them at a weak time, 2AM say and that they have to fully implement any little network/monitoring tweaks rather than just turning them on for your attack. Cons, they don't expect you so if something goes wrong you'll be testing their DR plan as well. I'm sure there are others but I'd say they were the main ones. Explain those to the client and see what they want. My last job was against a live web site and they said that it had to be overnight on a given week while there would be minimum real client access, no arguments, I've had others that just said "whenever". Robin ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Penetration Testing Scheduling Yousif (Apr 28)
- Re: Penetration Testing Scheduling Dotzero (Apr 29)
- Re: Penetration Testing Scheduling Robin Wood (Apr 29)
- Re: Penetration Testing Scheduling arvind doraiswamy (Apr 29)
- Re: Penetration Testing Scheduling Sat Jagat Singh (Apr 30)
- Re: Penetration Testing Scheduling Anders Thulin (Apr 29)
- <Possible follow-ups>
- Re: Penetration Testing Scheduling Yousif (Apr 29)
- Re: Penetration Testing Scheduling Joey Peloquin (Apr 30)
- Re: Penetration Testing Scheduling Todd Haverkos (Apr 30)
- Re: Re: Penetration Testing Scheduling zenmasterbob123 (Apr 30)