Penetration Testing mailing list archives
Re: [PEN-TEST] Evaluating Auditors Abilities
From: Max Vision <vision () WHITEHATS COM>
Date: Thu, 7 Sep 2000 16:22:38 -0700
At 12:46 AM 9/7/00 -0400, Derrick wrote:Dear Pen-Testers, Recently I underwent something that had me thinking about Security Auditing companies and others (Big accounting firms that offer a side service of auditing). Management decided that we needed to be audited by an outside firm, which I am in full favor of. The problem came about in what an un-named auditor did.
Derrick, It sounds like your company hired a less-than-capable auditing group that is still in the learning process. Since I have been doing professional penetration testing for several years, I have addressed this touchy issue in three main ways. First, the majority of my new clients are referrals from satisfied customers. Since I am an engineer and not a salesperson, this ends up working out very well for myself and my clients. You should ask around and find out who your peers hire and why they are chosen. Second, I provide a free "Visibility Analysis" of the potential client network. This includes significant detail about both the client network and the penetration testing procedure. You should find out if the auditing company charges an arbitrary fee or if they understand your particular network. Third, I maintain a 100% penetration rate. I guarantee that I will be able to penetrate a client's network. Since I have years of experience and current research skills, I am confident that I will be able to maintain this guarantee. After all, a penetration testing expert should be able to prove their skill in gaining compromise if they are to be trusted to simulate real-world techniques. Ask to find out if your security company makes any similar guarantees. Finally, numerous false positives are sloppy and inexusable - a clear sign that the auditors ran automated tools without checking the results. In many cases the auditors fail to properly configure the scanning tools, or have not authored the security tests themselves. Be sure to ask the right questions before you choose a security company. If you don't get the answers you're looking for, keep looking. Max -- Max Vision Network Security <vision () whitehats com> Network Security Assessment http://maxvision.net/ 100% Success Rate : Penetration Testing & Risk Mitigation Free Visibility Analysis and Price Quote for Your Network
Current thread:
- Re: [PEN-TEST] Firewall identification and penetration Mike Ireton (Sep 02)
- Re: [PEN-TEST] Firewall identification and penetration Ben Lull (Sep 06)
- [PEN-TEST] Evaluating Auditors Abilities Derrick (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Steve (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Domenico De Vitto (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Teicher, Mark (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Max Vision (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Deri Jones (Sep 08)
- [PEN-TEST] Evaluating Auditors Abilities Derrick (Sep 07)
- Re: [PEN-TEST] Firewall identification and penetration Jeffrey Denton (Sep 07)
- Re: [PEN-TEST] Firewall identification and penetration Gary E. Miller (Sep 07)
- Re: [PEN-TEST] Firewall identification and penetration Ben Lull (Sep 06)