6

When you hire someone/business to come in how can you be sure they won't have a rogue employee who will backdoor your systems? Is there a way you can trust anyone? How do big corporations do it? Seems with so many possible openings that the chance of someone going rogue is very possible.

Is it best to look into doing it yourself? Do you hire your own team so you can have a trust relationship?

Basically, what steps should be taken when giving someone legal rights to hack-test your systems and network?

Tiffany Walker
  • 6,681
  • 14
  • 56
  • 82
  • 1
    Ask for references. Google the company first. Only hire someone with a good reputation. – Zoredache Aug 07 '12 at 16:29
  • 5
    Don't hire from of Craigslist this sort of thing. :) – Aaron Copley Aug 07 '12 at 16:40
  • 1
    @AaronCopley Also avoid guys named "Lefty" or "Fingers"... unless you're also doing a physical security test too. – voretaq7 Aug 07 '12 at 16:57
  • Hey, I'm a Lefty. >< ... Also, LOL'ing at my previous comment's bastardized sentence structure. My God... I'm impressed any one even understood what I wrote. – Aaron Copley Aug 07 '12 at 17:09
  • The level of due diligence required really depends on what you are asking them to do and what information they will have access to. For example, if you can limit what information they need the better. Suggest you update the question with some more details about what exactly you are trying to accomplish? Server hardening, audit, pen testing, code audits, database audits? Is this against production, development or test systems? – jeffatrackaid Aug 07 '12 at 18:26
  • No one needs "legal rights" to hack-test your systems and network. It happens all the time without your consent. If people needed "legal rights" to hack-test your system, security would be much easier. – emory Aug 07 '12 at 19:33
  • Not at all true, @emory - at least in the United States. If the intrusion is detected and provable, they are committing one or more felonies. If the potential company doesn't proactively offer a list of "services" (activities) that you, the client, are allowing them to do, do not hire them. – gWaldo Aug 08 '12 at 00:04
  • @gWaldo I don't understand. Say Acme Co agrees to limit itself to an agreed list of activities and reports that it is unable to break your system. Then later, a hacker breaks your system using some non Acme Co activities. What is the value of the Acme Co report? Hackers don't follow rules. Their intrusion may or may not be detectable and/or provable. We can safely assume that they are not US based and thus not risking felony prosecution. – emory Aug 08 '12 at 03:43
  • @emory IANAL, Without the legal permission (and freedom from liability), a pen-tester is vulnerable to charges and suits. In these agreements, the Client specifies what methods are allowed or disallowed ('no physical penetration', or 'yes, social engineering is allowed'). With that agreement, the premise of the rules are set. – gWaldo Aug 08 '12 at 19:34
  • @emory But in any case, a Pen-test does not ensure (or insure) against being hacked. The pen-tester may attempt a particular class of hack and be unsuccessful, but an attacker may be able to pull off a similar method. Then there is the case of 0-days or other later unpatched vulns. Pen-testing isn't a guarantee, but it can warn of some of your blind-spots. – gWaldo Aug 08 '12 at 19:37
  • The way I'm looking at it is if a blackhat is going to get you then it will happen. Humans have flaws. Simple fact. But the idea is if most of the entries can be found/patched this can drop the likley hood of such an attack and in same time also help notice and have a faster response time – Tiffany Walker Aug 09 '12 at 02:43

4 Answers4

7

Pay one of the big companies to do it - it doesn't prevent that kind of thing from happening but you do get a degree of protection by doing so.

Chopper3
  • 101,299
  • 9
  • 108
  • 239
4

Basically, what steps should be taken when giving someone legal rights to hack-test your systems and network?

Have your company lawyer draw up a contract that takes away the reproductive organs of the contractor should they do anything shady with the data they acquire.
Such contracts usually include work-product clauses, non-disclosure agreements, and (to protect the contractor) an acknowledgement by your company that the penetration test is authorized and may result in outages/data loss.

Beyond that, a background check is a good start if you're hiring an individual.
If you know people in the pen-testing field you can always hire your friends (whom you presumably trust), otherwise hiring a large company like Chopper3 suggested is always an option (but be aware that many of these companies hire "reformed black-hats" because those are the folks with the skills).

voretaq7
  • 79,879
  • 17
  • 130
  • 214
4

More or less the same way you'd evaluate any firm offering your company critical services - your same question could be put to lawyers, accountants, auditors, janitors, etc. Part of the selection process should involve reference checking (including criminal checks for employees) and confirmation that the appropriate levels of bonding and insurance are in place. A D&B (credit check) will also give a sense of how established the business may be. Finally, the nature of the contract between your company and your pen tester can define terms and penalties. Even with all of this it's important to make sure your business has appropriate levels of the right types of insurance - this is precisely the kind of thing that COO's and CFO's are supposed to be figuring out.

rnxrx
  • 8,143
  • 3
  • 22
  • 31
1

When hiring a penetration tester:

  • Check their credentials & reputation
  • Get references
  • Check their current status. Are they falling apart and will they do something stupid?

Here's a guide to hiring penetration testers. Enjoy.

citruspi
  • 166
  • 2