Solved

The consequences of Pen Testing

Posted on 2014-04-02
10
299 Views
Last Modified: 2014-04-28
Hello all,

I am the current network administrator of a company. All of a sudden they call me into the conference room where our 3 main executives where sitting with another person which I dont know and had the appearance of a vendor. One of the executive said to me that the vendor would need some information from me. The "vendor" starts his list: Network Diagram specifying all details for all interfaces, a list of External IPs, a list of all PORTS open in our firewall, our internal IP address scheme, number of hosts, servers and clients, I said Ok for the moment and went back to my office.
When one of our executive got out of the meeting I called him to my office and told him the concerned that I was about disclosing all this information. I explained that if we gave up all this information, these guys could really mess US UP. The executive told me (of course, with ignorance in his eyes), that the only thing that they would need is a high level diagram of what we have in order to analyze some things and that they even proposed to try to hack into our systems JUST to see what vulnerabilities they can find in our environment.

I do not know too much about security testing procedures but I know something here is very wrong. Because of this I am gathering all the tools to argue and object against this.

So my quetion is, do companies need certain certifications to perform this kind of testing?
How can I guarantee the integrity of my data after this test is performed, if ever happens?
What are the consequences of a pen test of someone that is not certified to do so?
Can I report this practice to a national organization that will protect me from becoming a victim?
How can I know if I can trust in this people?

Why asking me for External IPs and ports if they can look it up theirselves, that will defeat the purpose of making a real penetration test.

Please let me know if I am wrong too.
0
Comment
Question by:LuiLui77
10 Comments
 
LVL 34

Accepted Solution

by:
Dan Craciun earned 125 total points
ID: 39974054
They could be a legitimate security company or a hoax.

You would need to look for more information.

Security audits (that include pen tests or not) are done after some serious paper signing, including NDA's.

The list they requested is required if they are the real thing. They need to compare their findings with what you think you know about your network,

HTH,
Dan
0
 
LVL 3

Assisted Solution

by:mlsbraves
mlsbraves earned 125 total points
ID: 39974096
Agree with Dan Craciun. First you need to make sure this is a legitimate security company. A background check on the company and making sure the people you are working with are confirmed to work with said company.

Before supplying any private information there needs to be a SOW (statement of work), NDA's (Non Disclosure Agreements), and finally contracts signed. Any reputable security company will require a deposit up front (Check not Cash) before any work will begin.  

Everything that was asked for would be needed to do a complete security audit.
0
 

Author Comment

by:LuiLui77
ID: 39974100
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:LuiLui77
ID: 39974101
Thanks mlsbraves for your comment
0
 
LVL 3

Expert Comment

by:mlsbraves
ID: 39974105
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?

See my post above about NDA (Non Disclosure Agreements). I would never hand out any information until a background check has been done and all paperwork was signed. I would first ask for a W9 and have your company do a background check on the company. A rough estimate can be given (as long as they know what type of audit they are doing and how many host will be audited) without handing out sensitive information.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 39974389
Hi.

A pentest cannot be done safely without cooperation between in-house technicians and pentester. You should make your bosses aware of that, some tests might cause unwanted behavior, so you have to be involved before it starts to find the correct time and methods in order to prevent workflow interruptions.

Also, as you were not involved so far, I would ask myself "why?". Please note that this is pure speculation, but my first thought was "they want you fired". I thought, they were trying to discover misconfigurations so they can put some pressure on you. Again: speculation.
0
 

Author Comment

by:LuiLui77
ID: 39974886
Hi McKnife, thank you for your honesty. I think is pure ignorance, they just go with whomever says anything and their ego is to much for them to ask for help.

This type of situations have happened in the past where they don't consult us, the IT dept, when making decisions.

I guess this is why I am the only IT technician left.
0
 

Author Comment

by:LuiLui77
ID: 39974917
About SOW and NDA's, the vendor should be able to provide these if they are real security company right?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 39975290
Usually, the SOW for pentesting is the "terms of engagement" - what they will attack and how, who can't (or can't) be told, what information should be supplied (instead of them having to gather it externally, which is time consuming in terms of billable hours) and so forth.  For supplied information, it is worth asking if that data *could* be obtained from the outside without help.  Similarly, it is reasonable for you to not react to any IDS messages and turn off any IDP response - that sounds unreasonable, but usually those things are rate limited, so what you are really doing is letting them run one test per second instead of three per hour (with the corresponding time savings) - again, the question to ask yourself is if, should they trickle out their attack over days or weeks, you would have a reasonable chance to catch them with the rules in place? if not, then there is nothing to lose from relaxing the rules (but you should look at if there were better rules you could run to capture that scenario)

It is usually also reasonable, like with any other bespoke service, to ask for references - prior customers who have had this service performed for them, and are willing to discuss their experiences. You should be wary if the contract for the services precludes you discussing it or posting reviews online, or if they refuse to provide any prior customers due to "confidentiality".

There are a wealth of certifications out there for pentesting. Another question you could reasonably ask is what qualifications and experience the attacking team have, if they have any published discovered vulnerabilities in CVE, and so forth.  the certs from (for example) offensive security are well regarded in terms of practical hands-on skills.
0
 

Author Closing Comment

by:LuiLui77
ID: 40028082
Thanks All
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question