RE: How to go about looking for a pen-tester

From: Kevin Timm (ktimmat_private)
Date: Sun Jun 03 2001 - 19:55:00 PDT

  • Next message: Andrew Brown: "Re: Tool for source routing"

    Outside of verifying the credibility, character and confidentiality of the
    penetration testing team I would look very closely at what is covered in the
    testing. There are many variables but I would stay away from a "capture the
    flag style test" and look for a more comprehensive test that will test the
    entire network. Inside of this there are still many variables such as full
    knowledge, zero knowledge, does the test assess internal risks. There are a
    lot of varaibles involved with assessments make sure the are clearly
    defined.
    Kevin
    
    -----Original Message-----
    From: shrdluat_private [mailto:shrdluat_private]On Behalf Of Etaoin
    Shrdlu
    Sent: Sunday, June 03, 2001 7:50 PM
    To: Penetration Test List
    Subject: Re: How to go about looking for a pen-tester
    
    
    hellNbak wrote:
    
    > Ershad Shafi Chowdhury wrote:
    
    > > I have been reading with interest this list for a few weeks. Is there
    > > anything special that a customer should look for when choosing a pen
    tester?
    > > e.g., are there any certifications, associations, government agency that
    > > guarantee the pen-tester won't use the information learned to harm the
    > > network? Should the customer specify what is allowed and what is not
    > > allowed, or give the pen-tester a free hand to do his work? how about
    > > international agreements? Are there any websites recommending and rating
    > > pen-testers? Basically, what should a client do protect himself when
    asking
    > > a pen-tester to break in to his network.
    
    I would also point you to the recent conversations concerning bonding
    and insurance. A professional should be able to provide information on
    these things. This (of course) does not guarantee anything, but it
    provides an additional element of comfort.
    
    > First - all certifications mean is that someone read a book and managed to
    > memorize enough of it to pass a test.  Do not base your selection of
    > Pen-Testers on only certifications.
    
    Sure, but certifications are still nice. I don't have a CISSP, but I
    respect some of the folk I've met who do (not all, but some). Just like
    the microsucks certificates, it doesn't prove competence and expertise,
    but it provides data points that can be considered.
    
    > As far as agreements go, you would be wise to carefully read over any
    > terms and conditions supplied by the company doing the tests.  If there is
    > anything in there you do not like or want added, speak up before you sign
    > off on the proposal.  If there isn't a terms and conditions - run like
    > hell.
    
    This is good advice. You should also question the kind of business you
    are in, which might dictate the company or consultant that you use. The
    country (or countries) that you do business in are significant as well.
    If your business is a large, international conglomerate, it would be
    better to select a company that does business in that area. If you are a
    small startup, and you just want to give yourself that extra comfort
    (and you've already considered outside firms for vulnerability and risk
    assessements), then a consulting firm with only a few employees might be
    just fine.
    
    > The way I would choose a pen-testing or security consulting company would
    > be by looking at their years in business, their experience, and their
    > refferences.  In my opinion - you are better off with an established,
    > known company that can provide you with some good refferences.
    
    Sure, but references are not always possible. Many penetration tests
    will be covered by non-disclosure agreements. Companies are risk-averse,
    as they should be, and this particular area is seen as one that does not
    lend itself to the next big marketing campaign. I can see it now:
    "BigCompany announces successful penetration testing by Ernst and Young.
    Only five compromised machines this time!"
    
    Consider why you want a penetration test. Consider the type of business
    you are in. How devasting is it if you suffer a compromise? Make sure
    that you already have, in place, a good security policy, and both
    external and internal vulnerability and risk assessments.
    
    .shrdlu
    
    --
    Bill Watterton:
    "The surest sign that intelligent life exists in the universe
    is that it has never tried to contact us."
    



    This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 23:07:27 PDT