From: Volker Tanger (vtlists@wyae.de)
Date: Wed Feb 08 2006 - 16:46:12 EST
Greetings!
On Wed, 08 Feb 2006 08:55:52 -0600
Leif Ericksen <leife@dls.net> wrote:
> SHORT AND SWEET:
> IMHO, a good pen-test will have a contract that dictates
> 1) Name of the company being tested and people that will be testing.
> 2) Any forbidden access methods.
> 3) Any forbidden tactics DOS/or even a shutdown of the server
> (Real hackers will not care if they shutdown or DOS a server.)
> 4) Time of the attacks. (start/end date start/end time)
> (Real hackers will not care about time.)
> 5) Maybe all telephone numbers owned by the company for a war-dial
> list.
> But this might not be shared with the whole team. If a modem is
> found a weakness is noted, and the actual intrusion team would have
> to find modems with SE or other methods.
> 6) If the team is going to be on premise can they enter restricted
> areas or are they only allowed to test the door to see if it is open.
Most important: contacts (esp. phone numbers!) of all people involved!
7a) contact details of pen testers where the client can contact them during
the test in case something goes wrong. I once wardialed a client who
was not aware that his telephone system relayed each and every non-valid
number and/or service to the front desk. 50.000 numbers dialed where
only 20% were connected. 4 wardialers each running at 30second
intervals. Effectively DoSed the client telephone-wise...
7b) contact (and authority) details of the client. Especially when doing
physical assessment. Police usually won't take a "Dunno" as valid
legitimation for trespassing...
7c) Who is allowed to know and who not (e.g. for a pentest with simultaneous
readiness/performance test of the IDS/FW/network staff).
Bye
Volker
-- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists@wyae.de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:28 EDT