Keep people in the know -- literally. Say, "OK, here we go…" and
include dates, timeframes, systems being tested and even any
signatures or behaviors that your scanners and other tools may
present or leave behind. Undoubtedly you'll miss someone that
should've been notified about what you're doing (or have
already done). I can't tell you how often I hear, "Oh yeah! We
should've warned so-and-so about what we're doing." Notify your
ISPs, CoLo/hosting providers or whoever you think needs to know.
Ask the project sponsor who needs to know. She may very well think
of someone who's not on your radar screen.
Keep people posted. It's not difficult to send out status email
from time to time. Tell them things like, "We had a successful
first round of testing on the servers," and "Reminder: Tonight
we're testing the domain controller, IIS and SQL servers." Err on
the side of too much communication. No one ever got in trouble for
that.
Setting your Windows security
assessment expectations
Home:
Introduction
Step 1:
Determine the business goals
Step 2:
Get input and information from others
Step 3:
Let everyone know that problems will likely occur
Step 4: Let your testing be known
and keep people in the loop
Step 5:
Report what happened
About the author: Kevin Beaver is an
independent information
security consultant, speaker and expert witness with
Atlanta-based Principle Logic LLC. He has more than 19 years of
experience in IT and specializes in performing information security
assessments involving compliance and IT governance. Kevin has
authored/co-authored six books on information security
including
Hacking For Dummiesand
Hacking Wireless Networks For Dummies(Wiley) as well asThe Practical
Guide to HIPAA Privacy and Security Compliance(Auerbach).
He also created the
Security On Wheels
series of audiobooks. Kevin can be reached at
kbeaver@principlelogic.com.