Where I work is looking to do some penetration testing. It is a relatively small company and this is the first time it has done any such test.
I was hoping that the community could give some advice on the do's, do not's and the bare in minds we should know when picking a person or company to test our servers.
I will also be researching the web but I know there are a lot of smart people on these forums, so any advice would be greatly appreciated.
If your company is looking for someone to do penetration testing, your best bet is to get someone with CEH (Certified Ethical Hacker) qualifications as that person has received training in hacking techniques, that person has been vetted (to unknown extent) by the EC Council) and a CEH has been tested for knowledge including (most importantly) that he/she needs to be protected with an ironclad which allows your system to be attacked/penetrated. Failure of any of these points will mean that you are putting your company's IT resources (not to mention it's reputation) at risk.
As a CEH, I must say that I was rather shocked that the hacker tools (like BackTrack - that link should scare you!) are widely available and continually upgraded. Therefore, it is incumbent upon you to get references from your CEH and then talk to the CEH's prior clients.
Do NOT merely get someone's kid to attack your system as the damage caused could be irreparable. Do it professionally ... and expect to pay for it. Just remember, you get what you pay for so give yourself credit for (1) knowing the value of a pen test and (2) asking for advice.
Thanks, that sounds like great advice :)
Originally Posted by dklynn
Hello Eaguy ,
Originally Posted by EAguy
If your company is looking for a Penetration Testing then look for a person who is having a certification of LPT(Licensed Penetration Tester) . This guys can help you to find maximum bugs from your system.
As others suggested, it would be best to hire a prefessional for this. However, if you want to do it on your own, I'd suggest you give Nessus a shot. There is a free version available which is sufficient to get a basic idea of your (web) security.
Thanks everyone, great feedback.