Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 500
  • Last Modified:

Hacker Intrusion Simulation

I have been asked to conduct a security audit of a companie's website in an effort to identify the risks of dta being compromised (DOS not a major concern). I would like to subcontact an organization that will (with my client's permission) see how far they can get with hacking into thier network via this host that controls the website. after they their simulation and they get as far as they can go, provide me with a report of steps to take to eliminate or reduce the risk of data being compromised.

Please reccommend any US based company (besides IBM) that will do this analysis for me.

Thank you
0
jlavery
Asked:
jlavery
  • 3
  • 3
  • 2
  • +3
3 Solutions
 
rsivanandanCommented:
NEC Unified Solutions (www.necunified.com)

www.counterpane.com



Cheers,
Rajesh
0
 
jakosysadminCommented:
my former employer KPMG (http://www.kpmg.com) also has capable and very experienced pentesters employed and I would heartily recommend them.
0
 
jlaveryAuthor Commented:
do you have a point of contact?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
decoleurCommented:
you could also use sofware to run external security audits... nessus is outstanding for this and www.alertra.com can run complete vulnerability scans with reports on a dialy/weekly/or monthly basis at extreemly reasonable rates.

there is such a large range in services that you can contract and a large range in prices for services rendered. I had some organizations quote me 40K to audit a class C address space and others quote me 5K for similar work.

Hope this helps-

-t
0
 
jakosysadminCommented:
jlavery, no, I don't. I forwarded this forum link to a capable branch office employee who I thought would know the right people. Yet, the organization is big. It is mindbogglingly big.

I guess you'll be better served contacting them yourself (http://www.kpmg.com/About/Where/). You might want to get your call forwarded from the front desk to IT auditors as soon as possible, though. Be sure to mention "penetration testing".
0
 
jlaveryAuthor Commented:
I have a product that will do a security scan and give me lists of holes in the physical layer and or OS. what i'm looking for is an organization that actually hacks into a target website to see how far someone from the outside could get and what data can be compromised from the backend. then provide recommendations on what can be done to resolve the problems that exist.

for lack of a better term, i'm looking for an ethical hacker for hire.

0
 
decoleurCommented:
it seems simple enough...

questions that you will probably need to ask to help refine your search involve what is the scope of the engagement and what would be the budget?

for example do you have one public ip address that you want someone to perform a zero knowledge pen test upon or do you want to have someone inside your network perform said operations with full exposure to all the tiers of your web application? keep in mind that some project that over 80% of the damaging IT activities originate inside the affected network. Also are you looking at ethical hacking from the UI or a full on code review?

One thing I would definitly do would be to look at how whoever you hire is insured, for example E&O of a substantial ammount would be a requirement.

Hope this helps,

-t
0
 
jlaveryAuthor Commented:
penatration test of a website is what i'm looking for.

money is always a concern so once a company is identified to perform the activity i can go back and get the amount approved. This is something my cleint has come to me with, probably more of a CYA than anything else, but  that is a good indication that he is interested in moving forward with an analysis such as this.

understood that most hacks happen from the inside and the very statistic you mentioned is one that we have brought up. its just not where they are focusing their efforts on right now. they are more concerned about  data being compromised from the outside. I know its wrong, but the money is always right.

0
 
snypCommented:
try www.rentacoder.com

you can sign up as a 'buyer'; which means you are looking to employ someone. then you create an advertisement for what you want to be done. penetration testing is a daily request of buyers on the site.

once you've made your advertisement, 'sellers' (or potential contractors) will 'bid' for the work; basically how much they want to be paid for the work you've described.

the best thing about it is the 'bidding' system, and what you can check out; how much someone wants for the work, what kind of history they have, recommendations and points from other work done on the site, online resume, etc etc.

i'm signed up myself as a seller and i've done work for around 30 people over the last year.. but i've no experience of buying work i'm afraid. i can tell you though that working is quick and easy. i've never had any problems whatsoever.
0
 
jakosysadminCommented:
Pentesting ought not to be quick and easy. It should be meticulous and systematic. Well documented with an audit trail that can be retraced and exploits reliably reproduced. At the same time the systems mustn't fail or suffer the DoS when the client has not agreed to that.
By trying hard not to sound arrogant I must still empasize that it is not the job for just any one-man-1337-h4x0r-team hired for the lowest about bidden. While the hacker-to-hire might get your perimeter penetrated, the documentation on the job is often below acceptable levels. My first choice would therefore be any of the big 5 auditing companies. not just KPMG. (I guess I've given them enough time to grab this opportunity to make business with you.:)
0
 
snypCommented:
the point of rentacoder.com is that a requirement of the contract you enter into with your employer is documentation; also, if the employer isn't happy with the work, an adjudication by rentacoder.com legal team takes.
no funds are released from rentacoder to the contractor until all agree that the work's been carried out to the job specification.
0
 
tellkeeperCommented:
I would suggest who ever you employee for this project be a CEH (Certified Ethical Hacker). If they can show proof of this certification or if they are recommend by someone as being a CEH then you will have a better chance of getting a professional pentest done. There are a lot of pentest companies out in the world, you just have to look for the right ones. The CEH certification is controlled by the eccouncil, they may be a great place to start looking for a CEH needing work and/or reputable companies whose employees are all certified. These guys are the best of the best and are usually extremely fast. Most of the time though, you will not find one that will freelance. The insurance for such a job is to expensive more often than not for one person to buy so big companies are usually what you will find. I hope this helps.

Tell

P.S. Anyone you employee, you should be able to validate their certification (if any) through the ECcouncil.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now