[Blake]

Tag: Pentesting
This list was compiled form a bunch of comments from a previous news article. The list is primarily from the post by GroovyDude, I just added to it.

Choosing a pentesting firm can be an extremely difficult process, and making the correct decision can be a difficult job. Do you go with a small local firm? Or do you go with one of the larger firms like FoundStone or Ernst and Young? I have been on both sides of the fence so I am going to use some of the comments GroovyDude made and add to them.

1. Put together an RFP listing exactly what it is you want performed and send to at least 3 reputable firms. Make sure that you describe exactly what you expect as deliverables. Do you want a nice high level report that can be presented to the board of directors? Do you want the deliverables to contain fix actions or just a description of the problem. Make sure you mention whether you would like the security firm to be onsite to give a presentation to other members of management. You do not want to pay a large number of line items at the end of project.

2. Request references for clients in your industry and similar in size. Ask them if the deliverables were handed in on time. Ask them if they experienced any outages from the testing.

3. Request a sample report and go through it with a fine tooth comb. There are many pen testers out there with sufficient knowledge to perform an assessment, however not all of them are able to put their findings appropriately in writing. I would recommend requesting two reports:

a ) An Executive Summary listing the findings sorted by criticality. The descriptions should focus on how the vulnerabilities would effect the business cycle and not just technical infrastructure. Also ask that the report include positive items from your security as well. If you have performed well there is no reason why the report should only include the negative. To many times the auditors will only focus on the negative, by including positive aspects at well it will show your management that you are indeed performing to expectations.

b ) A Technical Report with the nitty gritty information needed to remediate the issues. As the executive summary's audience will be management, make sure the wording used in the sample report is okay. I've seen reports with language such as "The firewall was wide open!". Stay away from these vendors. Let the vendor know that you will be highly involved during the reporting phase. If they have a problem with this, run.

4. Avoid using the same vendor consecutively. You want a different set of eyes looking at your network. Many times the results can vary widely between the firms that perform the audit. Also when an outside regulator or Auditor is looking at the reports they will have more wait when multiple organizations have tested your systems. This prevents the auditors from assuming you have established a relationship with the auditing firm and due to that, you may have received a more relaxed audit. This may not be the case at all, but it can be the impression.

5. Avoid using firms that will also provide managed infrastructure services. Many times they may provide you with a cheaper audit but that is because they will make up the cost difference by charging you a consulting fee to remedy the issues. I also find it a conflict of interest, since it may effect their findings, if they are looking for problems that they can then fix post engagement.

6. Social engineering - make sure you pick a firm that has experience in this. There are many legal pitfalls that you can fall into. Though you may be performing an audit for the company, the employees still have many rights that must be observed.

Digg It!

Once again, much thanks to Groovy Dude

[GroovyDude]

Good job with the article. I couldn't have said it better myself. ;)