In last months column, I discussed some of the factors to consider in deciding whether to have a penetration test done for your organization. But how should you go about deciding who to hire and—perhaps more importantly—who to avoid? First, a good security consultant should be able to provide a complete explanation of the penetration testing process and methodology that will be used and a general road map of what a penetration test looks like. The consultant should be able to talk at length about what scripts or software it will use and what its level of experience is with those tools.
The consultant should also be able and willing to scope the testing processes in great detail for you. For example, make sure your potential consultant will discuss which, if any, systems will be off-limits for all or part of the exercise and what hours should be excluded from the effort. Are DoS (denial-of-service) attacks to be part of the engagement, and do you want social engineering attempts involved? Do you want the vendor to dial your phone number blocks in search of modems (war dialing)? Talk to them about whether you want them to actually remove data from your systems if an intrusion attempt is successful or simply note the ability to do so.
In addition, assuming the test results in a breach, do you want the faux intruders to leave back doors on your systems, and do you want them to cover their tracks well (by modifying log files) or intentionally leave clues lying around?
Finally, keep shopping for a vendor if the one youre talking to will not put its staffing policy in writing—particularly if it wont say whether it hires black-hat hackers. In addition, back off if its unwilling to sign nondisclosure agreements. Other bad signs include a reluctance to assign a 24-by-7 contact during the entire engagement or the urging of DoS attacks without extreme caveats.
Show these folks the door if they wont provide or dont have customer references or if they are willing to speak specifically about work done for other named clients. Finally, its entirely reasonable to ask in advance for a sanitized copy of what your deliverable will look like. Be suspicious if you cant get one. And, always, be careful out there.