Outside of verifying the credibility, character and confidentiality of the penetration testing team I would look very closely at what is covered in the testing. There are many variables but I would stay away from a "capture the flag style test" and look for a more comprehensive test that will test the entire network. Inside of this there are still many variables such as full knowledge, zero knowledge, does the test assess internal risks. There are a lot of varaibles involved with assessments make sure the are clearly defined. Kevin -----Original Message----- From: shrdluat_private [mailto:shrdluat_private]On Behalf Of Etaoin Shrdlu Sent: Sunday, June 03, 2001 7:50 PM To: Penetration Test List Subject: Re: How to go about looking for a pen-tester hellNbak wrote: > Ershad Shafi Chowdhury wrote: > > I have been reading with interest this list for a few weeks. Is there > > anything special that a customer should look for when choosing a pen tester? > > e.g., are there any certifications, associations, government agency that > > guarantee the pen-tester won't use the information learned to harm the > > network? Should the customer specify what is allowed and what is not > > allowed, or give the pen-tester a free hand to do his work? how about > > international agreements? Are there any websites recommending and rating > > pen-testers? Basically, what should a client do protect himself when asking > > a pen-tester to break in to his network. I would also point you to the recent conversations concerning bonding and insurance. A professional should be able to provide information on these things. This (of course) does not guarantee anything, but it provides an additional element of comfort. > First - all certifications mean is that someone read a book and managed to > memorize enough of it to pass a test. Do not base your selection of > Pen-Testers on only certifications. Sure, but certifications are still nice. I don't have a CISSP, but I respect some of the folk I've met who do (not all, but some). Just like the microsucks certificates, it doesn't prove competence and expertise, but it provides data points that can be considered. > As far as agreements go, you would be wise to carefully read over any > terms and conditions supplied by the company doing the tests. If there is > anything in there you do not like or want added, speak up before you sign > off on the proposal. If there isn't a terms and conditions - run like > hell. This is good advice. You should also question the kind of business you are in, which might dictate the company or consultant that you use. The country (or countries) that you do business in are significant as well. If your business is a large, international conglomerate, it would be better to select a company that does business in that area. If you are a small startup, and you just want to give yourself that extra comfort (and you've already considered outside firms for vulnerability and risk assessements), then a consulting firm with only a few employees might be just fine. > The way I would choose a pen-testing or security consulting company would > be by looking at their years in business, their experience, and their > refferences. In my opinion - you are better off with an established, > known company that can provide you with some good refferences. Sure, but references are not always possible. Many penetration tests will be covered by non-disclosure agreements. Companies are risk-averse, as they should be, and this particular area is seen as one that does not lend itself to the next big marketing campaign. I can see it now: "BigCompany announces successful penetration testing by Ernst and Young. Only five compromised machines this time!" Consider why you want a penetration test. Consider the type of business you are in. How devasting is it if you suffer a compromise? Make sure that you already have, in place, a good security policy, and both external and internal vulnerability and risk assessments. .shrdlu -- Bill Watterton: "The surest sign that intelligent life exists in the universe is that it has never tried to contact us."
This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 23:07:27 PDT