SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member
    Join Date
    Sep 2013
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Penetration Testing

    Hello,

    Where I work is looking to do some penetration testing. It is a relatively small company and this is the first time it has done any such test.

    I was hoping that the community could give some advice on the do's, do not's and the bare in minds we should know when picking a person or company to test our servers.

    I will also be researching the web but I know there are a lot of smart people on these forums, so any advice would be greatly appreciated.

    Many Thanks
    EAguy

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,644
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    EAguy,

    If your company is looking for someone to do penetration testing, your best bet is to get someone with CEH (Certified Ethical Hacker) qualifications as that person has received training in hacking techniques, that person has been vetted (to unknown extent) by the EC Council) and a CEH has been tested for knowledge including (most importantly) that he/she needs to be protected with an ironclad which allows your system to be attacked/penetrated. Failure of any of these points will mean that you are putting your company's IT resources (not to mention it's reputation) at risk.

    As a CEH, I must say that I was rather shocked that the hacker tools (like BackTrack - that link should scare you!) are widely available and continually upgraded. Therefore, it is incumbent upon you to get references from your CEH and then talk to the CEH's prior clients.

    Do NOT merely get someone's kid to attack your system as the damage caused could be irreparable. Do it professionally ... and expect to pay for it. Just remember, you get what you pay for so give yourself credit for (1) knowing the value of a pen test and (2) asking for advice.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Member
    Join Date
    Sep 2013
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dklynn View Post
    EAguy,

    If your company is looking for someone to do penetration testing, your best bet is to get someone with CEH (Certified Ethical Hacker) qualifications as that person has received training in hacking techniques, that person has been vetted (to unknown extent) by the EC Council) and a CEH has been tested for knowledge including (most importantly) that he/she needs to be protected with an ironclad which allows your system to be attacked/penetrated. Failure of any of these points will mean that you are putting your company's IT resources (not to mention it's reputation) at risk.

    As a CEH, I must say that I was rather shocked that the hacker tools (like BackTrack - that link should scare you!) are widely available and continually upgraded. Therefore, it is incumbent upon you to get references from your CEH and then talk to the CEH's prior clients.

    Do NOT merely get someone's kid to attack your system as the damage caused could be irreparable. Do it professionally ... and expect to pay for it. Just remember, you get what you pay for so give yourself credit for (1) knowing the value of a pen test and (2) asking for advice.

    Regards,

    DK
    Thanks, that sounds like great advice

  4. #4
    SitePoint Member hostripples's Avatar
    Join Date
    Sep 2013
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EAguy View Post
    Hello,

    Where I work is looking to do some penetration testing. It is a relatively small company and this is the first time it has done any such test.

    I was hoping that the community could give some advice on the do's, do not's and the bare in minds we should know when picking a person or company to test our servers.

    I will also be researching the web but I know there are a lot of smart people on these forums, so any advice would be greatly appreciated.

    Many Thanks
    EAguy
    Hello Eaguy ,

    If your company is looking for a Penetration Testing then look for a person who is having a certification of LPT(Licensed Penetration Tester) . This guys can help you to find maximum bugs from your system.

  5. #5
    SitePoint Member
    Join Date
    Jul 2013
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As others suggested, it would be best to hire a prefessional for this. However, if you want to do it on your own, I'd suggest you give Nessus a shot. There is a free version available which is sufficient to get a basic idea of your (web) security.

  6. #6
    SitePoint Member
    Join Date
    Sep 2013
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks everyone, great feedback.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •