Choosing a Security Consultant? Beware
In last month's column, I discussed some of the factors to consider in deciding whether to have a penetration test done for your organization.In last months column, I discussed some of the factors to consider in deciding whether to have a penetration test done for your organization. But how should you go about deciding who to hire andperhaps more importantlywho to avoid? First, a good security consultant should be able to provide a complete explanation of the penetration testing process and methodology that will be used and a general road map of what a penetration test looks like. The consultant should be able to talk at length about what scripts or software it will use and what its level of experience is with those tools. The consultant should also be able and willing to scope the testing processes in great detail for you. For example, make sure your potential consultant will discuss which, if any, systems will be off-limits for all or part of the exercise and what hours should be excluded from the effort. Are DoS (denial-of-service) attacks to be part of the engagement, and do you want social engineering attempts involved? Do you want the vendor to dial your phone number blocks in search of modems (war dialing)? Talk to them about whether you want them to actually remove data from your systems if an intrusion attempt is successful or simply note the ability to do so.
In addition, assuming the test results in a breach, do you want the faux intruders to leave back doors on your systems, and do you want them to cover their tracks well (by modifying log files) or intentionally leave clues lying around?