Penetration Testing

EAguy · September 12, 2013, 8:42am

Hello,

Where I work is looking to do some penetration testing. It is a relatively small company and this is the first time it has done any such test.

I was hoping that the community could give some advice on the do’s, do not’s and the bare in minds we should know when picking a person or company to test our servers.

I will also be researching the web but I know there are a lot of smart people on these forums, so any advice would be greatly appreciated.

Many Thanks
EAguy

dklynn · September 15, 2013, 9:30am

EAguy,

If your company is looking for someone to do penetration testing, your best bet is to get someone with CEH (Certified Ethical Hacker) qualifications as that person has received training in hacking techniques, that person has been vetted (to unknown extent) by the EC Council) and a CEH has been tested for knowledge including (most importantly) that he/she needs to be protected with an ironclad which allows your system to be attacked/penetrated. Failure of any of these points will mean that you are putting your company’s IT resources (not to mention it’s reputation) at risk.

As a CEH, I must say that I was rather shocked that the hacker tools (like BackTrack - that link should scare you!) are widely available and continually upgraded. Therefore, it is incumbent upon you to get references from your CEH and then talk to the CEH’s prior clients.

Do NOT merely get someone’s kid to attack your system as the damage caused could be irreparable. Do it professionally … and expect to pay for it. Just remember, you get what you pay for so give yourself credit for (1) knowing the value of a pen test and (2) asking for advice.

Regards,

DK

EAguy · September 18, 2013, 8:07am

dklynn:

EAguy,

If your company is looking for someone to do penetration testing, your best bet is to get someone with CEH (Certified Ethical Hacker) qualifications as that person has received training in hacking techniques, that person has been vetted (to unknown extent) by the EC Council) and a CEH has been tested for knowledge including (most importantly) that he/she needs to be protected with an ironclad which allows your system to be attacked/penetrated. Failure of any of these points will mean that you are putting your company’s IT resources (not to mention it’s reputation) at risk.

As a CEH, I must say that I was rather shocked that the hacker tools (like BackTrack - that link should scare you!) are widely available and continually upgraded. Therefore, it is incumbent upon you to get references from your CEH and then talk to the CEH’s prior clients.

Do NOT merely get someone’s kid to attack your system as the damage caused could be irreparable. Do it professionally … and expect to pay for it. Just remember, you get what you pay for so give yourself credit for (1) knowing the value of a pen test and (2) asking for advice.

Regards,

DK

Thanks, that sounds like great advice

hostripples · September 28, 2013, 11:56am

Hello Eaguy ,

If your company is looking for a Penetration Testing then look for a person who is having a certification of LPT(Licensed Penetration Tester) . This guys can help you to find maximum bugs from your system.

infinitnet · October 1, 2013, 11:47am

As others suggested, it would be best to hire a prefessional for this. However, if you want to do it on your own, I’d suggest you give Nessus a shot. There is a free version available which is sufficient to get a basic idea of your (web) security.

EAguy · October 2, 2013, 10:11am

Thanks everyone, great feedback.

system · October 8, 2014, 4:56am