Choosing a Security Consultant? Beware
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Choosing a Security Consultant? Beware

Written By
eWEEK EDITORS
eWEEK EDITORS
Apr 30, 2001
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

In last months column, I discussed some of the factors to consider in deciding whether to have a penetration test done for your organization. But how should you go about deciding who to hire and—perhaps more importantly—who to avoid? First, a good security consultant should be able to provide a complete explanation of the penetration testing process and methodology that will be used and a general road map of what a penetration test looks like. The consultant should be able to talk at length about what scripts or software it will use and what its level of experience is with those tools.

The consultant should also be able and willing to scope the testing processes in great detail for you. For example, make sure your potential consultant will discuss which, if any, systems will be off-limits for all or part of the exercise and what hours should be excluded from the effort. Are DoS (denial-of-service) attacks to be part of the engagement, and do you want social engineering attempts involved? Do you want the vendor to dial your phone number blocks in search of modems (war dialing)? Talk to them about whether you want them to actually remove data from your systems if an intrusion attempt is successful or simply note the ability to do so.

In addition, assuming the test results in a breach, do you want the faux intruders to leave back doors on your systems, and do you want them to cover their tracks well (by modifying log files) or intentionally leave clues lying around?

Finally, keep shopping for a vendor if the one youre talking to will not put its staffing policy in writing—particularly if it wont say whether it hires black-hat hackers. In addition, back off if its unwilling to sign nondisclosure agreements. Other bad signs include a reluctance to assign a 24-by-7 contact during the entire engagement or the urging of DoS attacks without extreme caveats.

Show these folks the door if they wont provide or dont have customer references or if they are willing to speak specifically about work done for other named clients. Finally, its entirely reasonable to ask in advance for a sanitized copy of what your deliverable will look like. Be suspicious if you cant get one. And, always, be careful out there.
eWEEK EDITORS
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information