The consequences of Pen Testing

Hello all,

I am the current network administrator of a company. All of a sudden they call me into the conference room where our 3 main executives where sitting with another person which I dont know and had the appearance of a vendor. One of the executive said to me that the vendor would need some information from me. The "vendor" starts his list: Network Diagram specifying all details for all interfaces, a list of External IPs, a list of all PORTS open in our firewall, our internal IP address scheme, number of hosts, servers and clients, I said Ok for the moment and went back to my office.
When one of our executive got out of the meeting I called him to my office and told him the concerned that I was about disclosing all this information. I explained that if we gave up all this information, these guys could really mess US UP. The executive told me (of course, with ignorance in his eyes), that the only thing that they would need is a high level diagram of what we have in order to analyze some things and that they even proposed to try to hack into our systems JUST to see what vulnerabilities they can find in our environment.

I do not know too much about security testing procedures but I know something here is very wrong. Because of this I am gathering all the tools to argue and object against this.

So my quetion is, do companies need certain certifications to perform this kind of testing?
How can I guarantee the integrity of my data after this test is performed, if ever happens?
What are the consequences of a pen test of someone that is not certified to do so?
Can I report this practice to a national organization that will protect me from becoming a victim?
How can I know if I can trust in this people?

Why asking me for External IPs and ports if they can look it up theirselves, that will defeat the purpose of making a real penetration test.

Please let me know if I am wrong too.
Who is Participating?
Dan CraciunConnect With a Mentor IT ConsultantCommented:
They could be a legitimate security company or a hoax.

You would need to look for more information.

Security audits (that include pen tests or not) are done after some serious paper signing, including NDA's.

The list they requested is required if they are the real thing. They need to compare their findings with what you think you know about your network,

mlsbravesConnect With a Mentor Commented:
Agree with Dan Craciun. First you need to make sure this is a legitimate security company. A background check on the company and making sure the people you are working with are confirmed to work with said company.

Before supplying any private information there needs to be a SOW (statement of work), NDA's (Non Disclosure Agreements), and finally contracts signed. Any reputable security company will require a deposit up front (Check not Cash) before any work will begin.  

Everything that was asked for would be needed to do a complete security audit.
LuiLui77Author Commented:
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

LuiLui77Author Commented:
Thanks mlsbraves for your comment
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?

See my post above about NDA (Non Disclosure Agreements). I would never hand out any information until a background check has been done and all paperwork was signed. I would first ask for a W9 and have your company do a background check on the company. A rough estimate can be given (as long as they know what type of audit they are doing and how many host will be audited) without handing out sensitive information.
McKnifeConnect With a Mentor Commented:

A pentest cannot be done safely without cooperation between in-house technicians and pentester. You should make your bosses aware of that, some tests might cause unwanted behavior, so you have to be involved before it starts to find the correct time and methods in order to prevent workflow interruptions.

Also, as you were not involved so far, I would ask myself "why?". Please note that this is pure speculation, but my first thought was "they want you fired". I thought, they were trying to discover misconfigurations so they can put some pressure on you. Again: speculation.
LuiLui77Author Commented:
Hi McKnife, thank you for your honesty. I think is pure ignorance, they just go with whomever says anything and their ego is to much for them to ask for help.

This type of situations have happened in the past where they don't consult us, the IT dept, when making decisions.

I guess this is why I am the only IT technician left.
LuiLui77Author Commented:
About SOW and NDA's, the vendor should be able to provide these if they are real security company right?
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
Usually, the SOW for pentesting is the "terms of engagement" - what they will attack and how, who can't (or can't) be told, what information should be supplied (instead of them having to gather it externally, which is time consuming in terms of billable hours) and so forth.  For supplied information, it is worth asking if that data *could* be obtained from the outside without help.  Similarly, it is reasonable for you to not react to any IDS messages and turn off any IDP response - that sounds unreasonable, but usually those things are rate limited, so what you are really doing is letting them run one test per second instead of three per hour (with the corresponding time savings) - again, the question to ask yourself is if, should they trickle out their attack over days or weeks, you would have a reasonable chance to catch them with the rules in place? if not, then there is nothing to lose from relaxing the rules (but you should look at if there were better rules you could run to capture that scenario)

It is usually also reasonable, like with any other bespoke service, to ask for references - prior customers who have had this service performed for them, and are willing to discuss their experiences. You should be wary if the contract for the services precludes you discussing it or posting reviews online, or if they refuse to provide any prior customers due to "confidentiality".

There are a wealth of certifications out there for pentesting. Another question you could reasonably ask is what qualifications and experience the attacking team have, if they have any published discovered vulnerabilities in CVE, and so forth.  the certs from (for example) offensive security are well regarded in terms of practical hands-on skills.
LuiLui77Author Commented:
Thanks All
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.