3rd party penetration testing

[SJConsultant]

One of our clients will be having such an audit performed, however , in my opinion, the amount and type of of information requested by the pen testing company far exceeds that of what an attacker would normally have available. I'd think that any company who is performing a pen test would perform the necessary reconnaissance activities to discover the environment.

When a 3rd party company is going to perform a security audit or penetration test, how much information do they typically ask or require prior to performing such an audit? How much information is too much?

 

[Xipher]

Honestly, tell them to find out on their own. If they really know what they are doing they should be able to work with the minimums and get all the information they need from there.
If you feel comfortable telling us, what kind of questions did they ask?

 

[SJConsultant]

Honestly, tell them to find out on their own. If they really know what they are doing they should be able to work with the minimums and get all the information they need from there.
If you feel comfortable telling us, what kind of questions did they ask?

Basically they want the following:

Network diagram
All IP subnets and netmasks
IDS or IPS in use
Make and model of firewalls, switches, routers, etc
AV software and version
List of servers including roles (e.g. DC, print server, file server, etc) and major server applications.

I've already obtained permission from the CEO to only disclose that information which we feel is necessary and I'm certainly not about to do 99% of their reconnaissance work for them.

 

[bbz_Ghost]

"The Art of Intrusion" by Kevin Mitnick.

Get it. Read it. Learn it. Love it. Apply it.

the amount and type of of information requested by the pen testing company far exceeds that of what an attacker would normally have available.

After reading that book if you can - and I simply cannot recommend it enough - as well as the other book he's done, "The Art of Deception," which focuses more on social engineering efforts but does cover the purpose for such techniques which is to get the information someone else is willing to pay for, you'll never look at pentesting the same way again, I promise.

Scary what someone visiting a company's HQ can learn just from being on the property, it really is.

 

[SJConsultant]

"The Art of Intrusion" by Kevin Mitnick.

"The Art of Deception,"

Got them.
Read them.
Learned them.
Love them.
Apply them everyday.

Unfortunately this is a situation where the audit must be performed by an independent third party thus my inquiry about other's experiences in dealing with such companies.

 

[SJConsultant]

Monday morning bump.

 

[dbwillis]

Interesting topic...are you going to setup a sandbox so you can 'check up' on them?

 

[Axeldoomeyer]

In the past I have had companies that have had penetration tests done on them and the penetrators were given no information at all. In my eyes it is their responsibility to do the network scans and what not. That is the whole idea for penetration testing to begin with.

If you wanted someone to break into your house to test your current security system would you give them a key? It seems kind of pointless. Or would you give them the code to your alarm system? NO you wouldn't therefore I wouldn't give the penetrators any information. Hence the term penatration testing. It is their job to find out and run the tests and then report the vulnerabilities.

Personally I have not read Kevin Mitnick's books yet but I have dealt with security audit firms in the past. The most information that we give them is the company name and address. But anything beyond that is up to the penetrators to get the information. How they get it I don't care; hence the purpose of the test.

Just my .02 cents worth....

Hope this helps.

-Axel

 

[SJConsultant]

Interesting topic...are you going to setup a sandbox so you can 'check up' on them?

Probably not as we simply don't have the time or experience to setup a honeypot.

In the past I have had companies that have had penetration tests done on them and the penetrators were given no information at all. In my eyes it is their responsibility to do the network scans and what not. That is the whole idea for penetration testing to begin with.

Which are my thoughts as well. I was just hoping to get input from people like yourself who have dealt with such companies in the past.

Thanks for your input.

 

[mitcity22]

I would say they are trying to trick you and seeing if you'll give up the info, if you give it up you will fail the test.

 

[Farva]

I would say they are trying to trick you and seeing if you'll give up the info, if you give it up you will fail the test.

Social engineering at its finest

 

[ThreeDee]

..so after divulging said info , then you have to trust this 3rd party to not share your network info or to not inadvertently get hacked into themselves and get said data "stolen" ...

I'll have to go with "..don't give them any info" Bob for $200

throw in a couple linux appliances between your router and network to throw them off .. first appliance if you have smoothwall installed on it , there is a honeypot mod you could throw on it with also the guardian reactive firewall mod so it will automatically block ip's that snort flags and the second appliance would just be there so you wouldnt have to change anything in your network configuration


[F]old|[H]ard

 

[Teknikallysekure]

2nd for smoothwall, definitely keep an eye on them the amount of information they request seems rather questionable.

How reknowned is this 3rd party?

Can you not simply hire a contractor to run something like Retina on your network and mark off the results?

Just a thought.

 

[flboad]

The pen Test has already begun. You Fail if you gave them anything. Now on the flip side if they are really asking you that and need that information to do their test than they are the worst pen testers ever. Consider, letting whoever wanted this test done, know.

 

[SJConsultant]

2nd for smoothwall, definitely keep an eye on them the amount of information they request seems rather questionable.

How reknowned is this 3rd party?

Can you not simply hire a contractor to run something like Retina on your network and mark off the results?

Just a thought.

Our client needs to have some kind of independent "audit' performed for compliance reasons and they are looking for potential contractors now.

The current one for which is asking so much information is www.ecct.net. I'd appreciate any input if people know or have dealt with this company.

 

[Teknikallysekure]

Dude, their web page is pretty shoddily put together, and go ahead and browse their "tech forum" and their tech tips is a blank template.

That looks kinda like this scam my old roommate used to run when he was webhosting.

Somehow he turned it into a succesful business, but it would appear to me that you're one of the early customers.

If I had more time I'd security audit their web server but I don't, hahaha and I'm not feeling that mischevious right now.



I dunno man, I'm sure they mean well but they look like a rather inexperienced company I don't see anything there that gives them major cred.

Can they refer you to some of their other customers for review? Any good company should be willing to do that.

 

[zillah]

Thanks for these inputs