The consequences of Pen Testing
Posted on 2014-04-02
I am the current network administrator of a company. All of a sudden they call me into the conference room where our 3 main executives where sitting with another person which I dont know and had the appearance of a vendor. One of the executive said to me that the vendor would need some information from me. The "vendor" starts his list: Network Diagram specifying all details for all interfaces, a list of External IPs, a list of all PORTS open in our firewall, our internal IP address scheme, number of hosts, servers and clients, I said Ok for the moment and went back to my office.
When one of our executive got out of the meeting I called him to my office and told him the concerned that I was about disclosing all this information. I explained that if we gave up all this information, these guys could really mess US UP. The executive told me (of course, with ignorance in his eyes), that the only thing that they would need is a high level diagram of what we have in order to analyze some things and that they even proposed to try to hack into our systems JUST to see what vulnerabilities they can find in our environment.
I do not know too much about security testing procedures but I know something here is very wrong. Because of this I am gathering all the tools to argue and object against this.
So my quetion is, do companies need certain certifications to perform this kind of testing?
How can I guarantee the integrity of my data after this test is performed, if ever happens?
What are the consequences of a pen test of someone that is not certified to do so?
Can I report this practice to a national organization that will protect me from becoming a victim?
How can I know if I can trust in this people?
Why asking me for External IPs and ports if they can look it up theirselves, that will defeat the purpose of making a real penetration test.
Please let me know if I am wrong too.