[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


The consequences of Pen Testing

Posted on 2014-04-02
Medium Priority
Last Modified: 2014-04-28
Hello all,

I am the current network administrator of a company. All of a sudden they call me into the conference room where our 3 main executives where sitting with another person which I dont know and had the appearance of a vendor. One of the executive said to me that the vendor would need some information from me. The "vendor" starts his list: Network Diagram specifying all details for all interfaces, a list of External IPs, a list of all PORTS open in our firewall, our internal IP address scheme, number of hosts, servers and clients, I said Ok for the moment and went back to my office.
When one of our executive got out of the meeting I called him to my office and told him the concerned that I was about disclosing all this information. I explained that if we gave up all this information, these guys could really mess US UP. The executive told me (of course, with ignorance in his eyes), that the only thing that they would need is a high level diagram of what we have in order to analyze some things and that they even proposed to try to hack into our systems JUST to see what vulnerabilities they can find in our environment.

I do not know too much about security testing procedures but I know something here is very wrong. Because of this I am gathering all the tools to argue and object against this.

So my quetion is, do companies need certain certifications to perform this kind of testing?
How can I guarantee the integrity of my data after this test is performed, if ever happens?
What are the consequences of a pen test of someone that is not certified to do so?
Can I report this practice to a national organization that will protect me from becoming a victim?
How can I know if I can trust in this people?

Why asking me for External IPs and ports if they can look it up theirselves, that will defeat the purpose of making a real penetration test.

Please let me know if I am wrong too.
Question by:LuiLui77
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Accepted Solution

Dan Craciun earned 500 total points
ID: 39974054
They could be a legitimate security company or a hoax.

You would need to look for more information.

Security audits (that include pen tests or not) are done after some serious paper signing, including NDA's.

The list they requested is required if they are the real thing. They need to compare their findings with what you think you know about your network,


Assisted Solution

mlsbraves earned 500 total points
ID: 39974096
Agree with Dan Craciun. First you need to make sure this is a legitimate security company. A background check on the company and making sure the people you are working with are confirmed to work with said company.

Before supplying any private information there needs to be a SOW (statement of work), NDA's (Non Disclosure Agreements), and finally contracts signed. Any reputable security company will require a deposit up front (Check not Cash) before any work will begin.  

Everything that was asked for would be needed to do a complete security audit.

Author Comment

ID: 39974100
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 39974101
Thanks mlsbraves for your comment

Expert Comment

ID: 39974105
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?

See my post above about NDA (Non Disclosure Agreements). I would never hand out any information until a background check has been done and all paperwork was signed. I would first ask for a W9 and have your company do a background check on the company. A rough estimate can be given (as long as they know what type of audit they are doing and how many host will be audited) without handing out sensitive information.
LVL 56

Assisted Solution

McKnife earned 500 total points
ID: 39974389

A pentest cannot be done safely without cooperation between in-house technicians and pentester. You should make your bosses aware of that, some tests might cause unwanted behavior, so you have to be involved before it starts to find the correct time and methods in order to prevent workflow interruptions.

Also, as you were not involved so far, I would ask myself "why?". Please note that this is pure speculation, but my first thought was "they want you fired". I thought, they were trying to discover misconfigurations so they can put some pressure on you. Again: speculation.

Author Comment

ID: 39974886
Hi McKnife, thank you for your honesty. I think is pure ignorance, they just go with whomever says anything and their ego is to much for them to ask for help.

This type of situations have happened in the past where they don't consult us, the IT dept, when making decisions.

I guess this is why I am the only IT technician left.

Author Comment

ID: 39974917
About SOW and NDA's, the vendor should be able to provide these if they are real security company right?
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 39975290
Usually, the SOW for pentesting is the "terms of engagement" - what they will attack and how, who can't (or can't) be told, what information should be supplied (instead of them having to gather it externally, which is time consuming in terms of billable hours) and so forth.  For supplied information, it is worth asking if that data *could* be obtained from the outside without help.  Similarly, it is reasonable for you to not react to any IDS messages and turn off any IDP response - that sounds unreasonable, but usually those things are rate limited, so what you are really doing is letting them run one test per second instead of three per hour (with the corresponding time savings) - again, the question to ask yourself is if, should they trickle out their attack over days or weeks, you would have a reasonable chance to catch them with the rules in place? if not, then there is nothing to lose from relaxing the rules (but you should look at if there were better rules you could run to capture that scenario)

It is usually also reasonable, like with any other bespoke service, to ask for references - prior customers who have had this service performed for them, and are willing to discuss their experiences. You should be wary if the contract for the services precludes you discussing it or posting reviews online, or if they refuse to provide any prior customers due to "confidentiality".

There are a wealth of certifications out there for pentesting. Another question you could reasonably ask is what qualifications and experience the attacking team have, if they have any published discovered vulnerabilities in CVE, and so forth.  the certs from (for example) offensive security are well regarded in terms of practical hands-on skills.

Author Closing Comment

ID: 40028082
Thanks All

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
How does someone stay on the right and legal side of the hacking world?
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question