Discussion:
How to start a Pen Test Consultancy ?
(too old to reply)
v***@yahoo.co.in
2005-01-06 07:48:50 UTC
Permalink
Hi All !

I am thinking of starting my own Pen Test consultancy.
Though i can (arguably ;-) ) say that i am quite adept
at penetration testing and ethical hacking, i am not
aware of a "standardised technique" to conduct an audit.

I would appreciate if someone can give me some pointers
on this. If i break up my earliar question into smaller
ones...i'd like to know the following :

1. What tests to conduct ?
what all to check ? servers, routers, switches, applications, social engineering ??

2. Time Span ?
The ideal time span a pen tester should take to
conduct an audit ?

3. What if my audit leads to a dos on their website ?
i.e what are the do's and dont's when conducting
an audit on a live system ? best practises ?
legal stuff ?

4. Pen test report ?
what to include and what not ?

5. Money ;-) ?
How to determine a monetory equivalent for the
pen test conducted ? i.e how to bill the
customer ?? etc

6. If you can think of anything essential i missed
out ....please add !

I know i am almost asking you guys to write an "essay"
but i am sure this will be of help to lots of other
ppl who would one day like to start something of their
own.

Thanks in advance !

Vivek

Bangalore, India

(flames >> /dev/null)
Chuck Fullerton
2005-01-06 16:10:05 UTC
Permalink
www.isecom.org

Check out the OSSTMM.

Chuck F.

-----Original Message-----
From: ***@yahoo.co.in [mailto:***@yahoo.co.in]
Sent: Thursday, January 06, 2005 2:49 AM
To: pen-***@securityfocus.com
Subject: How to start a Pen Test Consultancy ?



Hi All !



I am thinking of starting my own Pen Test consultancy.

Though i can (arguably ;-) ) say that i am quite adept

at penetration testing and ethical hacking, i am not

aware of a "standardised technique" to conduct an audit.



I would appreciate if someone can give me some pointers

on this. If i break up my earliar question into smaller

ones...i'd like to know the following :



1. What tests to conduct ?

what all to check ? servers, routers, switches, applications, social
engineering ??



2. Time Span ?

The ideal time span a pen tester should take to

conduct an audit ?



3. What if my audit leads to a dos on their website ?

i.e what are the do's and dont's when conducting

an audit on a live system ? best practises ?

legal stuff ?



4. Pen test report ?

what to include and what not ?



5. Money ;-) ?

How to determine a monetory equivalent for the

pen test conducted ? i.e how to bill the

customer ?? etc



6. If you can think of anything essential i missed

out ....please add !



I know i am almost asking you guys to write an "essay"

but i am sure this will be of help to lots of other

ppl who would one day like to start something of their

own.



Thanks in advance !



Vivek



Bangalore, India



(flames >> /dev/null)
Nathan Einwechter
2005-01-06 19:21:43 UTC
Permalink
A lot of these questions are extremely dependant on the client, their
network/systems and requirements from the pen-test, as well as the type
of pen-test. For example, the tests to conduct in an internal pen-test
(where you have an inventory and layout of the network and it's systems)
are going to be significantly different (read: more directed) than an
external blind test.

The same goes for the time span. This is highly dependant on how deep
the client wants you to go, and how large their networks are. This is
something that you need to feel out for yourself judged by your
experience. Typically, in medium sized businesses, no more than a week
or so should be required from initial meeting to final report.

Part of the contract for work to complete pen-testing includes an
agreement on what types of attacks are allowed. Typically these
contracts exclude the use of DoS attacks or attacks which will create
any downtime or performance issues for the normal operation of the
business.

If you're not able to not use DoS attacks against a client, than you
really have no place to be in the business.

-- Nathan Einwechter

-----Original Message-----
From: ***@yahoo.co.in [mailto:***@yahoo.co.in]
Sent: Wednesday, January 05, 2005 11:49 PM
To: pen-***@securityfocus.com
Subject: How to start a Pen Test Consultancy ?



Hi All !

I am thinking of starting my own Pen Test consultancy.
Though i can (arguably ;-) ) say that i am quite adept
at penetration testing and ethical hacking, i am not
aware of a "standardised technique" to conduct an audit.

I would appreciate if someone can give me some pointers
on this. If i break up my earliar question into smaller
ones...i'd like to know the following :

1. What tests to conduct ?
what all to check ? servers, routers, switches, applications, social
engineering ??

2. Time Span ?
The ideal time span a pen tester should take to
conduct an audit ?

3. What if my audit leads to a dos on their website ?
i.e what are the do's and dont's when conducting
an audit on a live system ? best practises ?
legal stuff ?

4. Pen test report ?
what to include and what not ?

5. Money ;-) ?
How to determine a monetory equivalent for the
pen test conducted ? i.e how to bill the
customer ?? etc

6. If you can think of anything essential i missed
out ....please add !

I know i am almost asking you guys to write an "essay"
but i am sure this will be of help to lots of other
ppl who would one day like to start something of their
own.

Thanks in advance !

Vivek

Bangalore, India

(flames >> /dev/null)
Schisler Isaiah
2005-01-06 18:17:41 UTC
Permalink
As mentioned before http://www.isecom.org is great place for open
source pen-testing information and should be able to answer most of the
questions that you've posed.

One thing that you did forget to mention and will definitely need to be
covered before doing any penetration testing is legal documentation
(i.e. non-disclosure agreement, liability insurance, etc.). The owner of
the business your trying to sell your service to is not going to just
let anybody come on the network and start doing whatever they want to
it. It may be easier to hire a lawyer that specializes in documents like
that, or you can invest the time to do the research yourself. But you
definitely want to have you're butt covered before you start pen-testing
someone's network.


-----Original Message-----
From: ***@yahoo.co.in [mailto:***@yahoo.co.in]
Sent: Wednesday, January 05, 2005 11:49 PM
To: pen-***@securityfocus.com
Subject: How to start a Pen Test Consultancy ?



Hi All !

I am thinking of starting my own Pen Test consultancy.
Though i can (arguably ;-) ) say that i am quite adept
at penetration testing and ethical hacking, i am not
aware of a "standardised technique" to conduct an audit.

I would appreciate if someone can give me some pointers
on this. If i break up my earliar question into smaller
ones...i'd like to know the following :

1. What tests to conduct ?
what all to check ? servers, routers, switches, applications, social
engineering ??

2. Time Span ?
The ideal time span a pen tester should take to
conduct an audit ?

3. What if my audit leads to a dos on their website ?
i.e what are the do's and dont's when conducting
an audit on a live system ? best practises ?
legal stuff ?

4. Pen test report ?
what to include and what not ?

5. Money ;-) ?
How to determine a monetory equivalent for the
pen test conducted ? i.e how to bill the
customer ?? etc

6. If you can think of anything essential i missed
out ....please add !

I know i am almost asking you guys to write an "essay"
but i am sure this will be of help to lots of other
ppl who would one day like to start something of their
own.

Thanks in advance !

Vivek

Bangalore, India

(flames >> /dev/null)
Tyler Markowsky
2005-01-06 20:51:13 UTC
Permalink
Some marketing-oriented stream of consciousness for our friend Vivek...


There certainly is a lot of demand in North America for information security
consultants who can ensure networks containing personal and private
information are secure (that is, essentially, why companies conduct Pen
Test's). This demand continues to grow and could work to your advantage:
many of the larger international corporations are expanding their labour
forces abroad to include massive outsourcing arrangements in countries like
India.

With that in mind, I would suggest you look into the privacy laws of those
organizations who are outsourcing. For example: in Canada there are huge
penalties for privacy violations mandated by the government (PIPEDA). In
the States accountancy standards have just been expanded to include
information security (Sarbanes Oxley).

You may be able to capitalize on those outsourcing arrangements, because
despite the fact that much of the work is subcontracted, those companies are
still liable to their home country's privacy standards!

Good luck with your venture Vivek!

Best,

Tyler Markowsky
Information Risk Analyst
SECCURIS

http://www.seccuris.com


***PLEASE DONTATE MONEY FOR THE VICTIMS OF THE ASIAN TSUNAMI***
*Canadians: http://www.redcross.ca/
- The Canadian Gov will match Canadian citizen's donations until January
11th**

-----Original Message-----
From: Schisler Isaiah [mailto:***@bah.com]
Sent: Thursday, January 06, 2005 12:18 PM
To: pen-***@securityfocus.com
Subject: RE: How to start a Pen Test Consultancy ?

As mentioned before http://www.isecom.org is great place for open
source pen-testing information and should be able to answer most of the
questions that you've posed.

One thing that you did forget to mention and will definitely need to be
covered before doing any penetration testing is legal documentation
(i.e. non-disclosure agreement, liability insurance, etc.). The owner of
the business your trying to sell your service to is not going to just
let anybody come on the network and start doing whatever they want to
it. It may be easier to hire a lawyer that specializes in documents like
that, or you can invest the time to do the research yourself. But you
definitely want to have you're butt covered before you start pen-testing
someone's network.


-----Original Message-----
From: ***@yahoo.co.in [mailto:***@yahoo.co.in]
Sent: Wednesday, January 05, 2005 11:49 PM
To: pen-***@securityfocus.com
Subject: How to start a Pen Test Consultancy ?



Hi All !

I am thinking of starting my own Pen Test consultancy.
Though i can (arguably ;-) ) say that i am quite adept
at penetration testing and ethical hacking, i am not
aware of a "standardised technique" to conduct an audit.

I would appreciate if someone can give me some pointers
on this. If i break up my earliar question into smaller
ones...i'd like to know the following :

1. What tests to conduct ?
what all to check ? servers, routers, switches, applications, social
engineering ??

2. Time Span ?
The ideal time span a pen tester should take to
conduct an audit ?

3. What if my audit leads to a dos on their website ?
i.e what are the do's and dont's when conducting
an audit on a live system ? best practises ?
legal stuff ?

4. Pen test report ?
what to include and what not ?

5. Money ;-) ?
How to determine a monetory equivalent for the
pen test conducted ? i.e how to bill the
customer ?? etc

6. If you can think of anything essential i missed
out ....please add !

I know i am almost asking you guys to write an "essay"
but i am sure this will be of help to lots of other
ppl who would one day like to start something of their
own.

Thanks in advance !

Vivek

Bangalore, India

(flames >> /dev/null)
Anders Thulin
2005-01-10 07:45:16 UTC
Permalink
Post by v***@yahoo.co.in
1. What tests to conduct ?
what all to check ? servers, routers, switches, applications, social engineering ??
The customer decides -- but will typically rely on you to provide
a set of scenarios to choose from.
Post by v***@yahoo.co.in
2. Time Span ?
The ideal time span a pen tester should take to
conduct an audit ?
More important is 2. Terminology. When a customer asks you
to do a pen test, do they have the slightest clue, or are they
just repeating what the boss said, and he just repeated something
his golf partner said? Will you do the 'pen test' scenario just
because the customer uses that word? What if they asked for an
'audit' -- do *they* know what you mean by that word? Do you know
what *they* mean?

Personally, I take 'audit' to mean the same thing it means
in the economical world: a check that the organizations follows
the rules it must follow and those it has set up for itself.
It's not looking for vulnerabilities, or trying to exploit them.
It's typically finding all IT security rules, and then check how
they have been implemented or not, and also if there is anything
that has been overlooked - that there should be rules for.

Now that that is out of the way, 2. Time Span. So are you
doing a pen-test, a vulnerability assessment, an audit, or something
else? Typically, pen-tests and vulnerability assessments *must*
be finished and reported in good time before anyone exploits
the vulnerabilities that will be found.
Post by v***@yahoo.co.in
3. What if my audit leads to a dos on their website ?
Yes, what if? You, as a knowledgeable tester has, of
course warned the customer that testing does tend to find
flaws, and can cause systems to crash. Do they accept the risk?
And if they don't, do you still take it, or do you suggest
another approach for those particular systems?
Post by v***@yahoo.co.in
legal stuff ?
That is a localization problem. It depends almost entirely
on where you are. India, I suspect -- in which case I can
only suggest that you get in touch with a legal advisor --
someone who knows the legal situation in India or the specific
state you are in.
Post by v***@yahoo.co.in
5. Money ;-) ?
How to determine a monetory equivalent for the
pen test conducted ? i.e how to bill the
customer ?? etc
This is also a localization problem. What kinds of company forms
can you choose from, and what do they require? What tax rules
do you have to follow? Again, find someone who knows the country
or state where you plan to work from the 'starting a business'
point of view.

-
Anders Thulin ***@tietoenator.com 040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö

Continue reading on narkive:
Loading...