RFP: Penetration Testing

 
 
By Cameron Sturdevant  |  Posted 2007-07-09 Print this article Print
 
 
 
 
 
 
 

Penetration testing is a good way to determine what weaknesses may be present in an organization's infrastructure. Here is a basic request for proposal that can assist with identification and remediation of security risks.

Penetration testing, which involves probing applications, operating systems and device configurations with the goal of gaining access to protected data, is a good way to determine what weaknesses may be present in an organizations infrastructure. This is among the first steps an organization can take to systematically eliminate risky configurations before attackers can exploit these openings. To identify the right solution when creating an authorized hacking or pen-testing request for proposal, security administrators should have a good understanding of the risks the organization desires to mitigate, the business processes that will be probed and the level of security that will be tolerated to attain security goals after the pen tests are completed. Thinking like a hacker is an effective method to ward off attacks from malware writers. Click here to read more.
Here is a basic RFP that can assist with identification and remediation of security risks.
BUSINESS BASICS
  • Pen-testing services and security consultants are only as good as the research teams and test probes that stand behind them, so its important to get a good read on the vendors and services providers under evaluation.
  • Besides pen testing, what other services does the organization provide? (More answers, especially those not directly related to security, are not necessarily better.)
  • How many years has the organization been engaged in pen testing?
  • What automated tools are used to perform the test?
  • Is the vendor or security consultant under consideration a security reseller? If so, what makes and equipment do they resell? (If the priorities of a given pen-testing vendor appear to be focused more tightly on pushing product than on offering an objective assessment, youll do best to look elsewhere.)
  • Please list the background and years of experience for the principals of the test organization. If possible, provide a curriculum vitae for the consultants who will be assigned to this project.
  • Does your organization use a methodology? If yes, does the methodology correspond to or exceed that of the Open Web Application Security Project or some other outside authority?
  • Can the organization provide customer references?
  • What is the organizations policy on confidentiality?
  • Does the organization use outside staff for engagements? If so, what contract for confidentiality is in place to protect penetration results from disclosure?
  • Is the organization bonded? What does the standard contract include to ensure privacy of test results? PEN-TESTING TOOLS AND METHODOLOGIES Security consultants often use a combination of pen testing, scanning and vulnerability assessment tools. It is important to know what tools will be used and the possible effect the tools could have on your network and applications. Like many drugs, pen-test tools have side effects that can be unpleasant. It is important to keep in mind that the results of a well-run test often outweigh these side effects. If no loss of productivity can be tolerated, then a pen test should not be run. However, this in itself could indicate other serious network, application and system management problems.
  • What tools will be used to assess our organization?
    • Core Security Technologies Core Impact
    • Metasploit Project
    • Tenable Network Securitys Nessus Vulnerability Scanner
    • eEye Digital Securitys Retina
    • Mu Securitys Mu-4000 Security Analyzer
    • IP protocol analyzer; if yes, please specify.
      • Insecure.orgs Nmap
      • Qualys QualysGuard
      • Snort, Sourcefire 3D System
      • BigFix Platform
      • PatchLink Scan
      • Rapid7s NeXpose
      • Cenzics Cenzic Hailstorm
      • Others
    How do you turn a small group of security pros into an organized online crime group? Read the six rules here.
  • What platforms can be tested?
    • Windows desktop operating system (Windows 98, Windows ME, Windows XP, Vista)
    • Windows Servers (Windows 2000, Windows 2003)
    • Unix
    • Linux
    • Apple
    • Mainframe
  • Describe basic techniques used to enumerate target systems.
  • Describe basic techniques used to footprint target systems.
  • What pen tests can be run against the target?
    • Operating system
    • Network
    • Internal applications
    • Web applications
    Learning to think like your most common opponent isnt that hard. Click here to read more.
  • What reporting services are provided at the end of the test? ( (Provide sample reports of actual tests.)
  • What remediation services are provided at the end of the test? Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
  •  
     
     
     
    Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...
     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Rocket Fuel