RE: How to start a Pen Test Consultancy ?

From: Schisler Isaiah (schisler_isaiah@bah.com)
Date: Thu Jan 06 2005 - 13:17:41 EST


As mentioned before http://www.isecom.org is great place for open
source pen-testing information and should be able to answer most of the
questions that you've posed.

One thing that you did forget to mention and will definitely need to be
covered before doing any penetration testing is legal documentation
(i.e. non-disclosure agreement, liability insurance, etc.). The owner of
the business your trying to sell your service to is not going to just
let anybody come on the network and start doing whatever they want to
it. It may be easier to hire a lawyer that specializes in documents like
that, or you can invest the time to do the research yourself. But you
definitely want to have you're butt covered before you start pen-testing
someone's network.

-----Original Message-----
From: vivek_ece_iitg@yahoo.co.in [mailto:vivek_ece_iitg@yahoo.co.in]
Sent: Wednesday, January 05, 2005 11:49 PM
To: pen-test@securityfocus.com
Subject: How to start a Pen Test Consultancy ?

Hi All !

I am thinking of starting my own Pen Test consultancy.
Though i can (arguably ;-) ) say that i am quite adept
at penetration testing and ethical hacking, i am not
aware of a "standardised technique" to conduct an audit.

I would appreciate if someone can give me some pointers
on this. If i break up my earliar question into smaller
ones...i'd like to know the following :

1. What tests to conduct ?
  what all to check ? servers, routers, switches, applications, social
engineering ??

2. Time Span ?
  The ideal time span a pen tester should take to
  conduct an audit ?

3. What if my audit leads to a dos on their website ?
  i.e what are the do's and dont's when conducting
  an audit on a live system ? best practises ?
  legal stuff ?

4. Pen test report ?
   what to include and what not ?

5. Money ;-) ?
   How to determine a monetory equivalent for the
   pen test conducted ? i.e how to bill the
   customer ?? etc

6. If you can think of anything essential i missed
out ....please add !

I know i am almost asking you guys to write an "essay"
but i am sure this will be of help to lots of other
ppl who would one day like to start something of their
own.

Thanks in advance !

Vivek

Bangalore, India

(flames >> /dev/null)



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:12 EDT