The consequences of Pen Testing

Posted on 2014-04-02
Last Modified: 2014-04-28
Hello all,

I am the current network administrator of a company. All of a sudden they call me into the conference room where our 3 main executives where sitting with another person which I dont know and had the appearance of a vendor. One of the executive said to me that the vendor would need some information from me. The "vendor" starts his list: Network Diagram specifying all details for all interfaces, a list of External IPs, a list of all PORTS open in our firewall, our internal IP address scheme, number of hosts, servers and clients, I said Ok for the moment and went back to my office.
When one of our executive got out of the meeting I called him to my office and told him the concerned that I was about disclosing all this information. I explained that if we gave up all this information, these guys could really mess US UP. The executive told me (of course, with ignorance in his eyes), that the only thing that they would need is a high level diagram of what we have in order to analyze some things and that they even proposed to try to hack into our systems JUST to see what vulnerabilities they can find in our environment.

I do not know too much about security testing procedures but I know something here is very wrong. Because of this I am gathering all the tools to argue and object against this.

So my quetion is, do companies need certain certifications to perform this kind of testing?
How can I guarantee the integrity of my data after this test is performed, if ever happens?
What are the consequences of a pen test of someone that is not certified to do so?
Can I report this practice to a national organization that will protect me from becoming a victim?
How can I know if I can trust in this people?

Why asking me for External IPs and ports if they can look it up theirselves, that will defeat the purpose of making a real penetration test.

Please let me know if I am wrong too.
Question by:LuiLui77
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Accepted Solution

Dan Craciun earned 125 total points
ID: 39974054
They could be a legitimate security company or a hoax.

You would need to look for more information.

Security audits (that include pen tests or not) are done after some serious paper signing, including NDA's.

The list they requested is required if they are the real thing. They need to compare their findings with what you think you know about your network,


Assisted Solution

mlsbraves earned 125 total points
ID: 39974096
Agree with Dan Craciun. First you need to make sure this is a legitimate security company. A background check on the company and making sure the people you are working with are confirmed to work with said company.

Before supplying any private information there needs to be a SOW (statement of work), NDA's (Non Disclosure Agreements), and finally contracts signed. Any reputable security company will require a deposit up front (Check not Cash) before any work will begin.  

Everything that was asked for would be needed to do a complete security audit.

Author Comment

ID: 39974100
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39974101
Thanks mlsbraves for your comment

Expert Comment

ID: 39974105
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?

See my post above about NDA (Non Disclosure Agreements). I would never hand out any information until a background check has been done and all paperwork was signed. I would first ask for a W9 and have your company do a background check on the company. A rough estimate can be given (as long as they know what type of audit they are doing and how many host will be audited) without handing out sensitive information.
LVL 55

Assisted Solution

McKnife earned 125 total points
ID: 39974389

A pentest cannot be done safely without cooperation between in-house technicians and pentester. You should make your bosses aware of that, some tests might cause unwanted behavior, so you have to be involved before it starts to find the correct time and methods in order to prevent workflow interruptions.

Also, as you were not involved so far, I would ask myself "why?". Please note that this is pure speculation, but my first thought was "they want you fired". I thought, they were trying to discover misconfigurations so they can put some pressure on you. Again: speculation.

Author Comment

ID: 39974886
Hi McKnife, thank you for your honesty. I think is pure ignorance, they just go with whomever says anything and their ego is to much for them to ask for help.

This type of situations have happened in the past where they don't consult us, the IT dept, when making decisions.

I guess this is why I am the only IT technician left.

Author Comment

ID: 39974917
About SOW and NDA's, the vendor should be able to provide these if they are real security company right?
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 39975290
Usually, the SOW for pentesting is the "terms of engagement" - what they will attack and how, who can't (or can't) be told, what information should be supplied (instead of them having to gather it externally, which is time consuming in terms of billable hours) and so forth.  For supplied information, it is worth asking if that data *could* be obtained from the outside without help.  Similarly, it is reasonable for you to not react to any IDS messages and turn off any IDP response - that sounds unreasonable, but usually those things are rate limited, so what you are really doing is letting them run one test per second instead of three per hour (with the corresponding time savings) - again, the question to ask yourself is if, should they trickle out their attack over days or weeks, you would have a reasonable chance to catch them with the rules in place? if not, then there is nothing to lose from relaxing the rules (but you should look at if there were better rules you could run to capture that scenario)

It is usually also reasonable, like with any other bespoke service, to ask for references - prior customers who have had this service performed for them, and are willing to discuss their experiences. You should be wary if the contract for the services precludes you discussing it or posting reviews online, or if they refuse to provide any prior customers due to "confidentiality".

There are a wealth of certifications out there for pentesting. Another question you could reasonably ask is what qualifications and experience the attacking team have, if they have any published discovered vulnerabilities in CVE, and so forth.  the certs from (for example) offensive security are well regarded in terms of practical hands-on skills.

Author Closing Comment

ID: 40028082
Thanks All

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question