Pre-engagement Interactions ~ Ethical hacking, Pen testing, IT security

Wednesday, October 5, 2011

1:00 PM

Fabio

The picture below shows all the pre-engagement activities:

NETWORK PENETRATION TEST

Why is the customer having the penetration test against their environment?
Is the pen test require for a particular compliance requirement?
When does the customer wants you to execute the active parts of the pen test?
What's the range of IP addresses? Are they internal? External?
Are they security protections on the system? What are they?
What if the penetration is succesful? Does the customer want you to try to escalate privileges, crack passwords?

WEB APPLICATION PENETRATION TEST

WIRELESS NETWORK PENETRATION TEST

PHYSICAL PENETRATION TEST

SOCIAL ENGINEERING

Will the client provide email addresses or phone numbers of personnel that we can attempt to social engineer?
How many people will be targeted?

----------------------------------------------------------------------------------

Specify start and end date: this allows the project to have a definite end.
Specify IP ranges and Domain: you have to be sure that the target allowed you to perform the test. If after testing you discover that some IP don't belong to the pc owned by the customer it's too late.
Deal with Thirdy-parties: if a server is stored by using a hosting provider you'll need to be allowed to proceed also by the hosting provider.
DOS testing: be sure your customer allowed because stressing the network may cause important services to be inactive till the end of the test.
Emergency contact information: you'll need contacts you can use to communicate to your customer in case of emergency 24/7.
Encryption is not an option: since sensitive data is stored into the customer system all the tests has to be done using an encrypted session and communications such as emails must be encrypted, when it's possible choose face to face meetings.

Ethical hacking, Pen testing, IT security