Re: How to go about looking for a pen-tester

[Etaoin Shrdlu <shrdlu () deaddrop org>]

hellNbak wrote:

> Ershad Shafi Chowdhury wrote:

> > I have been reading with interest this list for a few weeks. Is there
> > anything special that a customer should look for when choosing a pen tester?
> > e.g., are there any certifications, associations, government agency that
> > guarantee the pen-tester won't use the information learned to harm the
> > network? Should the customer specify what is allowed and what is not
> > allowed, or give the pen-tester a free hand to do his work? how about
> > international agreements? Are there any websites recommending and rating
> > pen-testers? Basically, what should a client do protect himself when asking
> > a pen-tester to break in to his network.

I would also point you to the recent conversations concerning bonding
and insurance. A professional should be able to provide information on
these things. This (of course) does not guarantee anything, but it
provides an additional element of comfort.

> First - all certifications mean is that someone read a book and managed to
> memorize enough of it to pass a test.  Do not base your selection of
> Pen-Testers on only certifications.

Sure, but certifications are still nice. I don't have a CISSP, but I
respect some of the folk I've met who do (not all, but some). Just like
the microsucks certificates, it doesn't prove competence and expertise,
but it provides data points that can be considered.

> As far as agreements go, you would be wise to carefully read over any
> terms and conditions supplied by the company doing the tests.  If there is
> anything in there you do not like or want added, speak up before you sign
> off on the proposal.  If there isn't a terms and conditions - run like
> hell.

This is good advice. You should also question the kind of business you
are in, which might dictate the company or consultant that you use. The
country (or countries) that you do business in are significant as well.
If your business is a large, international conglomerate, it would be
better to select a company that does business in that area. If you are a
small startup, and you just want to give yourself that extra comfort
(and you've already considered outside firms for vulnerability and risk
assessements), then a consulting firm with only a few employees might be
just fine.

> The way I would choose a pen-testing or security consulting company would
> be by looking at their years in business, their experience, and their
> refferences.  In my opinion - you are better off with an established,
> known company that can provide you with some good refferences.

Sure, but references are not always possible. Many penetration tests
will be covered by non-disclosure agreements. Companies are risk-averse,
as they should be, and this particular area is seen as one that does not
lend itself to the next big marketing campaign. I can see it now:
"BigCompany announces successful penetration testing by Ernst and Young.
Only five compromised machines this time!"

Consider why you want a penetration test. Consider the type of business
you are in. How devasting is it if you suffer a compromise? Make sure
that you already have, in place, a good security policy, and both
external and internal vulnerability and risk assessments.

.shrdlu

--
Bill Watterton: 
"The surest sign that intelligent life exists in the universe
is that it has never tried to contact us."