Solved

Hacker Intrusion Simulation

Posted on 2006-07-21
12
491 Views
Last Modified: 2008-01-09
I have been asked to conduct a security audit of a companie's website in an effort to identify the risks of dta being compromised (DOS not a major concern). I would like to subcontact an organization that will (with my client's permission) see how far they can get with hacking into thier network via this host that controls the website. after they their simulation and they get as far as they can go, provide me with a report of steps to take to eliminate or reduce the risk of data being compromised.

Please reccommend any US based company (besides IBM) that will do this analysis for me.

Thank you
0
Comment
Question by:jlavery
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 400 total points
ID: 17156581
NEC Unified Solutions (www.necunified.com)

www.counterpane.com



Cheers,
Rajesh
0
 
LVL 8

Expert Comment

by:jako
ID: 17157123
my former employer KPMG (http://www.kpmg.com) also has capable and very experienced pentesters employed and I would heartily recommend them.
0
 

Author Comment

by:jlavery
ID: 17157148
do you have a point of contact?
0
 
LVL 18

Expert Comment

by:decoleur
ID: 17167018
you could also use sofware to run external security audits... nessus is outstanding for this and www.alertra.com can run complete vulnerability scans with reports on a dialy/weekly/or monthly basis at extreemly reasonable rates.

there is such a large range in services that you can contract and a large range in prices for services rendered. I had some organizations quote me 40K to audit a class C address space and others quote me 5K for similar work.

Hope this helps-

-t
0
 
LVL 8

Expert Comment

by:jako
ID: 17167471
jlavery, no, I don't. I forwarded this forum link to a capable branch office employee who I thought would know the right people. Yet, the organization is big. It is mindbogglingly big.

I guess you'll be better served contacting them yourself (http://www.kpmg.com/About/Where/). You might want to get your call forwarded from the front desk to IT auditors as soon as possible, though. Be sure to mention "penetration testing".
0
 

Author Comment

by:jlavery
ID: 17169978
I have a product that will do a security scan and give me lists of holes in the physical layer and or OS. what i'm looking for is an organization that actually hacks into a target website to see how far someone from the outside could get and what data can be compromised from the backend. then provide recommendations on what can be done to resolve the problems that exist.

for lack of a better term, i'm looking for an ethical hacker for hire.

0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 18

Assisted Solution

by:decoleur
decoleur earned 80 total points
ID: 17170466
it seems simple enough...

questions that you will probably need to ask to help refine your search involve what is the scope of the engagement and what would be the budget?

for example do you have one public ip address that you want someone to perform a zero knowledge pen test upon or do you want to have someone inside your network perform said operations with full exposure to all the tiers of your web application? keep in mind that some project that over 80% of the damaging IT activities originate inside the affected network. Also are you looking at ethical hacking from the UI or a full on code review?

One thing I would definitly do would be to look at how whoever you hire is insured, for example E&O of a substantial ammount would be a requirement.

Hope this helps,

-t
0
 

Author Comment

by:jlavery
ID: 17170915
penatration test of a website is what i'm looking for.

money is always a concern so once a company is identified to perform the activity i can go back and get the amount approved. This is something my cleint has come to me with, probably more of a CYA than anything else, but  that is a good indication that he is interested in moving forward with an analysis such as this.

understood that most hacks happen from the inside and the very statistic you mentioned is one that we have brought up. its just not where they are focusing their efforts on right now. they are more concerned about  data being compromised from the outside. I know its wrong, but the money is always right.

0
 
LVL 2

Accepted Solution

by:
snyp earned 20 total points
ID: 17187498
try www.rentacoder.com

you can sign up as a 'buyer'; which means you are looking to employ someone. then you create an advertisement for what you want to be done. penetration testing is a daily request of buyers on the site.

once you've made your advertisement, 'sellers' (or potential contractors) will 'bid' for the work; basically how much they want to be paid for the work you've described.

the best thing about it is the 'bidding' system, and what you can check out; how much someone wants for the work, what kind of history they have, recommendations and points from other work done on the site, online resume, etc etc.

i'm signed up myself as a seller and i've done work for around 30 people over the last year.. but i've no experience of buying work i'm afraid. i can tell you though that working is quick and easy. i've never had any problems whatsoever.
0
 
LVL 8

Expert Comment

by:jako
ID: 17188734
Pentesting ought not to be quick and easy. It should be meticulous and systematic. Well documented with an audit trail that can be retraced and exploits reliably reproduced. At the same time the systems mustn't fail or suffer the DoS when the client has not agreed to that.
By trying hard not to sound arrogant I must still empasize that it is not the job for just any one-man-1337-h4x0r-team hired for the lowest about bidden. While the hacker-to-hire might get your perimeter penetrated, the documentation on the job is often below acceptable levels. My first choice would therefore be any of the big 5 auditing companies. not just KPMG. (I guess I've given them enough time to grab this opportunity to make business with you.:)
0
 
LVL 2

Expert Comment

by:snyp
ID: 17188764
the point of rentacoder.com is that a requirement of the contract you enter into with your employer is documentation; also, if the employer isn't happy with the work, an adjudication by rentacoder.com legal team takes.
no funds are released from rentacoder to the contractor until all agree that the work's been carried out to the job specification.
0
 
LVL 2

Expert Comment

by:tellkeeper
ID: 17189302
I would suggest who ever you employee for this project be a CEH (Certified Ethical Hacker). If they can show proof of this certification or if they are recommend by someone as being a CEH then you will have a better chance of getting a professional pentest done. There are a lot of pentest companies out in the world, you just have to look for the right ones. The CEH certification is controlled by the eccouncil, they may be a great place to start looking for a CEH needing work and/or reputable companies whose employees are all certified. These guys are the best of the best and are usually extremely fast. Most of the time though, you will not find one that will freelance. The insurance for such a job is to expensive more often than not for one person to buy so big companies are usually what you will find. I hope this helps.

Tell

P.S. Anyone you employee, you should be able to validate their certification (if any) through the ECcouncil.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now