The consequences of Pen Testing

Posted on 2014-04-02
Medium Priority
Last Modified: 2014-04-28
Hello all,

I am the current network administrator of a company. All of a sudden they call me into the conference room where our 3 main executives where sitting with another person which I dont know and had the appearance of a vendor. One of the executive said to me that the vendor would need some information from me. The "vendor" starts his list: Network Diagram specifying all details for all interfaces, a list of External IPs, a list of all PORTS open in our firewall, our internal IP address scheme, number of hosts, servers and clients, I said Ok for the moment and went back to my office.
When one of our executive got out of the meeting I called him to my office and told him the concerned that I was about disclosing all this information. I explained that if we gave up all this information, these guys could really mess US UP. The executive told me (of course, with ignorance in his eyes), that the only thing that they would need is a high level diagram of what we have in order to analyze some things and that they even proposed to try to hack into our systems JUST to see what vulnerabilities they can find in our environment.

I do not know too much about security testing procedures but I know something here is very wrong. Because of this I am gathering all the tools to argue and object against this.

So my quetion is, do companies need certain certifications to perform this kind of testing?
How can I guarantee the integrity of my data after this test is performed, if ever happens?
What are the consequences of a pen test of someone that is not certified to do so?
Can I report this practice to a national organization that will protect me from becoming a victim?
How can I know if I can trust in this people?

Why asking me for External IPs and ports if they can look it up theirselves, that will defeat the purpose of making a real penetration test.

Please let me know if I am wrong too.
Question by:LuiLui77
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 35

Accepted Solution

Dan Craciun earned 500 total points
ID: 39974054
They could be a legitimate security company or a hoax.

You would need to look for more information.

Security audits (that include pen tests or not) are done after some serious paper signing, including NDA's.

The list they requested is required if they are the real thing. They need to compare their findings with what you think you know about your network,


Assisted Solution

mlsbraves earned 500 total points
ID: 39974096
Agree with Dan Craciun. First you need to make sure this is a legitimate security company. A background check on the company and making sure the people you are working with are confirmed to work with said company.

Before supplying any private information there needs to be a SOW (statement of work), NDA's (Non Disclosure Agreements), and finally contracts signed. Any reputable security company will require a deposit up front (Check not Cash) before any work will begin.  

Everything that was asked for would be needed to do a complete security audit.

Author Comment

ID: 39974100
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39974101
Thanks mlsbraves for your comment

Expert Comment

ID: 39974105
Hi Dan Thanks!

what do you mean by NDAs? Also they said to the executive that they would need to do this assestment first to provide an estimate of what it needs to be done, does this sounds right?

See my post above about NDA (Non Disclosure Agreements). I would never hand out any information until a background check has been done and all paperwork was signed. I would first ask for a W9 and have your company do a background check on the company. A rough estimate can be given (as long as they know what type of audit they are doing and how many host will be audited) without handing out sensitive information.
LVL 56

Assisted Solution

McKnife earned 500 total points
ID: 39974389

A pentest cannot be done safely without cooperation between in-house technicians and pentester. You should make your bosses aware of that, some tests might cause unwanted behavior, so you have to be involved before it starts to find the correct time and methods in order to prevent workflow interruptions.

Also, as you were not involved so far, I would ask myself "why?". Please note that this is pure speculation, but my first thought was "they want you fired". I thought, they were trying to discover misconfigurations so they can put some pressure on you. Again: speculation.

Author Comment

ID: 39974886
Hi McKnife, thank you for your honesty. I think is pure ignorance, they just go with whomever says anything and their ego is to much for them to ask for help.

This type of situations have happened in the past where they don't consult us, the IT dept, when making decisions.

I guess this is why I am the only IT technician left.

Author Comment

ID: 39974917
About SOW and NDA's, the vendor should be able to provide these if they are real security company right?
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 39975290
Usually, the SOW for pentesting is the "terms of engagement" - what they will attack and how, who can't (or can't) be told, what information should be supplied (instead of them having to gather it externally, which is time consuming in terms of billable hours) and so forth.  For supplied information, it is worth asking if that data *could* be obtained from the outside without help.  Similarly, it is reasonable for you to not react to any IDS messages and turn off any IDP response - that sounds unreasonable, but usually those things are rate limited, so what you are really doing is letting them run one test per second instead of three per hour (with the corresponding time savings) - again, the question to ask yourself is if, should they trickle out their attack over days or weeks, you would have a reasonable chance to catch them with the rules in place? if not, then there is nothing to lose from relaxing the rules (but you should look at if there were better rules you could run to capture that scenario)

It is usually also reasonable, like with any other bespoke service, to ask for references - prior customers who have had this service performed for them, and are willing to discuss their experiences. You should be wary if the contract for the services precludes you discussing it or posting reviews online, or if they refuse to provide any prior customers due to "confidentiality".

There are a wealth of certifications out there for pentesting. Another question you could reasonably ask is what qualifications and experience the attacking team have, if they have any published discovered vulnerabilities in CVE, and so forth.  the certs from (for example) offensive security are well regarded in terms of practical hands-on skills.

Author Closing Comment

ID: 40028082
Thanks All

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question