Penetration Testing mailing list archives

Re: [PEN-TEST] Evaluating Auditors Abilities

From: Max Vision <vision () WHITEHATS COM>
Date: Thu, 7 Sep 2000 16:22:38 -0700

At 12:46 AM 9/7/00 -0400, Derrick wrote:

Dear Pen-Testers,
        Recently I underwent something that had me thinking about
Security Auditing companies and others (Big accounting firms that
offer a side service of auditing). Management decided that we needed
to be audited by an outside firm, which I am in full favor of. The
problem came about in what an un-named auditor did.


Derrick,

It sounds like your company hired a less-than-capable auditing group that
is still in the learning process. Since I have been doing professional
penetration testing for several years, I have addressed this touchy issue
in three main ways.

First, the majority of my new clients are referrals from satisfied
customers.  Since I am an engineer and not a salesperson, this ends up
working out very well for myself and my clients.  You should ask around
and find out who your peers hire and why they are chosen.

Second, I provide a free "Visibility Analysis" of the potential client
network. This includes significant detail about both the client network
and the penetration testing procedure.  You should find out if the
auditing company charges an arbitrary fee or if they understand your
particular network.

Third, I maintain a 100% penetration rate.  I guarantee that I will be
able to penetrate a client's network.  Since I have years of experience
and current research skills, I am confident that I will be able to
maintain this guarantee.  After all, a penetration testing expert should
be able to prove their skill in gaining compromise if they are to be
trusted to simulate real-world techniques.  Ask to find out if your
security company makes any similar guarantees.

Finally, numerous false positives are sloppy and inexusable - a
clear sign that the auditors ran automated tools without checking the
results.  In many cases the auditors fail to properly configure the
scanning tools, or have not authored the security tests
themselves.  Be sure to ask the right questions before you choose a
security company.  If you don't get the answers you're looking for, keep
looking.

Max

--
Max Vision Network Security        <vision () whitehats com>
Network Security Assessment         http://maxvision.net/
100% Success Rate : Penetration Testing & Risk Mitigation
Free Visibility Analysis and Price Quote for Your Network

Current thread:

Re: [PEN-TEST] Firewall identification and penetration Mike Ireton (Sep 02)
- Re: [PEN-TEST] Firewall identification and penetration Ben Lull (Sep 06)
  - [PEN-TEST] Evaluating Auditors Abilities Derrick (Sep 07)
    - Re: [PEN-TEST] Evaluating Auditors Abilities Steve (Sep 07)
    - Re: [PEN-TEST] Evaluating Auditors Abilities Domenico De Vitto (Sep 07)
    - Re: [PEN-TEST] Evaluating Auditors Abilities Teicher, Mark (Sep 07)
    - Re: [PEN-TEST] Evaluating Auditors Abilities Max Vision (Sep 08)
    - Re: [PEN-TEST] Evaluating Auditors Abilities Deri Jones (Sep 08)
  - Re: [PEN-TEST] Firewall identification and penetration Jeffrey Denton (Sep 07)
    - Re: [PEN-TEST] Firewall identification and penetration Gary E. Miller (Sep 07)