Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Pen Test Contracts

from [Richard Feist] Network Security [Permanent Link]
Subject: RE: Pen Test Contracts
Date: Fri, 14 Jul 2006 09:19:06 +1200 
Rob,

Have a look at the OSSTMM, www.isecom.org/osstmm . While it doesn't directly
answer yout question it does provide a view of what should be covered, and
thus mentioned in the doc you are asking about

Richard


-----Original Message-----
From: Robert J. Kraus [mailto:rkraus@telcomtex.net] 
Sent: 14 July 2006 02:03
To: Christine Kronberg
Cc: pen-test@securityfocus.com
Subject: RE: Pen Test Contracts

Christine,

Thanks for the info! I appreciate your time spent for 
replying to my post.I found your calculation to be very 
helpful and located a "Get out of Jail Free" doc on the 
website you recommended.

I was planning on using a different approval for internal and 
external, but only slight verbiage changes between them. More 
or less just the audience is different, was planning on still 
using one, just slightly different to address the correct 
audience. Much of the content will be the same.

Thanks,
 
Rob Kraus
Chief Information Officer
Telcomtex Communications, Inc.
6622 Randolph Blvd
Live Oak, Texas 78233
office: 210-566-5500 ext. 107
fax: 210-566-5590
email: rkraus@telcomtex.net
website: www.telcomtex.net
-----Original Message-----
From: Christine Kronberg [mailto:seeker@shalla.de]
Sent: Thursday, July 13, 2006 6:11 AM
To: Robert J. Kraus
Cc: pen-test@securityfocus.com
Subject: Re: Pen Test Contracts


   Hi Rob,


I am curious if anyone happens to have a few documents that 

may assist


me. I am not looking to re-create the wheel and would 

appreciate any 

help.

I am looking for a few templates that I can use for (of 

course I would


modify them to reflect my organizations):

1.    Internal Approval for penetration testing. This is 

the type you 

would use to gain written approval from your internal management to 
perform penetration testing on your own network.

2.    Customer Approval Contract for External Penetration Testing - 
This form is used for getting written approval from your 

customers to 

perform penetration testing on their networks. This usually will

include 

the scope and any guidelines for the engagement of the pen-testing 
activities.


   Why do you make an distinction between the approval for 
internal and
   external (customer side) pen testing? For an internal test 
management
   is the customer.
   For the contract you may take a look at:
      www.professionalsecuritytesters.com


3. Proposal. If anyone has a example of a proposal for costing 
information for different services.


   The costs rely entirely on time and effort. A simple portscan is
   (no pentest and) easily archieved. The verification of the results
   take some more time (and knowledge), yet this is usually not some-
   thing expensive.

   In case of penetration tests you can try this kind of rough
calculation:

   * assumption:      network with 20 clients
   * assumption: each client offers 10 services
   =>  that make 200 examinations

   an on:
   * assumption: each examination takes 15 minutes.
   * assumption: the working day has 8 hours.
   => that makes 6,25 days of work.
   Now use your daily rate to estimate the costs and don't forget the
   time you need to write and present your report.

   Of course, 15 minutes for an examination is ... not very much,
   if you do your job properly. So the testing, even with support
   of automized tools, will not be very deep. And don't forget there
   is still the time it takes to verify your data.
   But this little example gives an idea about the costs and why a
   penetration test can be very, very expensive.

   Have a nice day,

   Christine Kronberg.





------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: what to do it illegal activity found during pen-test, Ebeling, Jr., Herman Frederick
Next by Date:  Re: Detecting Rogues from the wired side, Clyde Johnson
Previous by Thread:  RE: Pen Test Contracts, Robert J. Kraus
Next by Thread:  RE: Pen Test Contracts, David M. Zendzian
Indexes:  [Date] [Thread] [Top] [All Lists]