Pentest - Who would you recommend?



  • Hey folks,

    We are based in London and are interested in having a pentest performed. Don't mind where the person is based as its testing the vulnerability of our sites and services externally anyway.

    Who would you recommend?

    I am not looking for an MSP or reseller or a VAR. We don't want somebody that is only looking to do a few 'checks' and then suggest we entirely swap out our firewall, routers, switches, access points etc as they are actually resellers looking to line their pockets with their own 'solutions'.

    What we are looking for is for somebody to look at our attack vector from outside and point at what could be improved. We would be paying for that report. Any work done, if any, would be done by a similarly skilled consultant in that specific area or internally if possible.

    So, thoughts? This is not a job posting, this is a discussion to see who the community has used before and would recommend.

    Best,
    Jim



  • I've never actually used them, but I've been to a couple of seminars by Sec-1 which were awesome. I really liked them. If I was going to do a pentest, I would want to use them. I recommend you go to one of their seminars as they're free and pretty intense and educational, and not salesy at all.



  • Have you had an assessment before?

    Are you in an industry that has requirements like HIPAA, SOX, GLBA, etc?

    Roughly how big is the company?

    What is the exact scope of work? Are you really looking for a pen test or a security audit?

    All these should factor in to who you choose for you pentest.


  • Service Provider

    I am clearly biased but I've gotta throw my 2 cents in here.

    https://darait.co.uk/files/darait-samplesecurityaudit-feb-2017.pdf

    What you receive entirely depends on the scope, for the audit above they wanted a zero scanning check to see what their external IT provider missed out after a breach which cost quite a bit of money. The external provider left out a lot even after they got told this was happening.

    Might be worth us having a chat.



  • @IRJ said in Pentest - Who would you recommend?:

    Have you had an assessment before?

    Are you in an industry that has requirements like HIPAA, SOX, GLBA, etc?

    Roughly how big is the company?

    What is the exact scope of work? Are you really looking for a pen test or a security audit?

    All these should factor in to who you choose for you pentest.

    No previous assessment.

    No industry requirements.

    25 -35 employees. Thousands of customers.

    Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.



  • @Breffni-Potter said in Pentest - Who would you recommend?:

    I am clearly biased but I've gotta throw my 2 cents in here.

    https://darait.co.uk/files/darait-samplesecurityaudit-feb-2017.pdf

    What you receive entirely depends on the scope, for the audit above they wanted a zero scanning check to see what their external IT provider missed out after a breach which cost quite a bit of money. The external provider left out a lot even after they got told this was happening.

    Might be worth us having a chat.

    I've just read the report. Looks interesting, but not what we are after. That report looks more like in response to a breach.

    The brief would be... xyz is our company name. What can you do to us, of course, without actually doing the end attack. Example: We scanned for open ports on 195.40.15.81, xyz was open and is RDP. We tried brute force and got in on 3389 using non admin account. Once on, we were able to run xyz... (for an example of course, but based on far more advanced knowledge in to security and what an outside person could do than I know).


  • Service Provider

    @Carnival-Boy The only issue with sec-1 is they are a Claranet company. Claranet...their culture is really poor, they've kept making mistakes on ISP projects, support failures and for one client, Claranet actually held their service to ransom by switching off the connection before a migration to a competitor, the client buckled and re-signed for 2 years and within 10 minutes the service was back up.

    Sec-1 might just be owned by Claranet and they are fantastic on their own but its a bit like LogMeIn owning LastPass, LastPass is great, LogMeIn, not so much.

    @Jimmy9008 - Yep, it was a response to a breach. A specific requirement was zero pen-test but all other reports are similar, we looked here, tried this, found this, fix it this way.


  • Service Provider

    @Jimmy9008 said

    Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

    Challenge accepted.



  • @Breffni-Potter said in Pentest - Who would you recommend?:

    @Jimmy9008 said

    Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

    Challenge accepted.

    Lol, but at what cost £££ :P



  • @Jimmy9008 said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    Have you had an assessment before?

    Are you in an industry that has requirements like HIPAA, SOX, GLBA, etc?

    Roughly how big is the company?

    What is the exact scope of work? Are you really looking for a pen test or a security audit?

    All these should factor in to who you choose for you pentest.

    No previous assessment.

    No industry requirements.

    25 -35 employees. Thousands of customers.

    Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.


  • Service Provider

    @Jimmy9008 said in Pentest - Who would you recommend?:

    @Breffni-Potter said in Pentest - Who would you recommend?:

    @Jimmy9008 said

    Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

    Challenge accepted.

    Lol, but at what cost £££ :P

    The fastest way to get the best pentest in the world, put out a bounty. Same way the big boys do it. If you get every type of hacker trying to crack your network for a prize, you can bet you'll find out if its secure.

    This is a big problem with pen tests with many companies, how imaginative and motivated is the attacker?



  • I love the Metasploit framework and also like Armitage on top of that sometimes.



  • @Breffni-Potter said in Pentest - Who would you recommend?:

    @Jimmy9008 said in Pentest - Who would you recommend?:

    @Breffni-Potter said in Pentest - Who would you recommend?:

    @Jimmy9008 said

    Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

    Challenge accepted.

    Lol, but at what cost £££ :P

    The fastest way to get the best pentest in the world, put out a bounty. Same way the big boys do it. If you get every type of hacker trying to crack your network for a prize, you can bet you'll find out if its secure.

    This is a big problem with pen tests with many companies, how imaginative and motivated is the attacker?

    Yeah, I get what you are saying, but i'd prefer to avoid challenging those that had no interest in the company, with interest, to try to 'get the goodies'. Hence asking if anybody has specific good history with any particular person...



  • @Breffni-Potter said in Pentest - Who would you recommend?:

    @Carnival-Boy The only issue with sec-1 is they are a Claranet company. Claranet...

    They only bought them 3 weeks ago! But, yeah, one to keep an eye on, for sure.


  • Service Provider

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @Breffni-Potter said in Pentest - Who would you recommend?:

    @Carnival-Boy The only issue with sec-1 is they are a Claranet company. Claranet...

    They only bought them 3 weeks ago! But, yeah, one to keep an eye on, for sure.

    Everyone knows BT are awful, Claranet manage to beat BT at being bad for double the money.



  • @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?



  • @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    A Pentester is more focused on actually breaking into your network. They will show you the security holes and vulnerabilities they found while exploiting your network, but their focus is exploitation.

    An assessment will take everything into account on your network and interview various people about policies and procedures. There more of a focus on finding security vulnerabilities and how to fix them vs breaking in.

    So you should only get a pen test when you consider your organization ready for it. Otherwise it can be a waste if there are holes galore in your network.



  • Ok, so how does an assessment find out if your applications are vulnerable to SQL injection (for example)?



  • @Carnival-Boy said in Pentest - Who would you recommend?:

    Ok, so how does an assessment find out if your applications are vulnerable to SQL injection (for example)?

    It's all in the scope of work. You just need to state that you want web apps to be included in the report. Companies ask for this type of stuff quite often. There are plenty of tools that Cyber Security personnel use for this purpose.

    The scope of work is the single most important thing you and whatever your company chooses need to agree on.



  • That's not what I'm asking. I'm asking how does an assessment find out if your applications are vulnerable to SQL injection?

    Literally, how, if not by pen testing them?


  • Service Provider

    @Breffni-Potter said in Pentest - Who would you recommend?:

    @Carnival-Boy The only issue with sec-1 is they are a Claranet company. Claranet...their culture is really poor, they've kept making mistakes on ISP projects, support failures and for one client, Claranet actually held their service to ransom by switching off the connection before a migration to a competitor, the client buckled and re-signed for 2 years and within 10 minutes the service was back up.

    Sec-1 might just be owned by Claranet and they are fantastic on their own but its a bit like LogMeIn owning LastPass, LastPass is great, LogMeIn, not so much.

    @Jimmy9008 - Yep, it was a response to a breach. A specific requirement was zero pen-test but all other reports are similar, we looked here, tried this, found this, fix it this way.

    So... an MSP/VAR?


  • Service Provider

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

    Both are valuable, but one tells you a lot more, typically.


  • Service Provider

    @Carnival-Boy said in Pentest - Who would you recommend?:

    That's not what I'm asking. I'm asking how does an assessment find out if your applications are vulnerable to SQL injection?

    Literally, how, if not by pen testing them?

    Pen testing doesn't even apply. You test SQL Injection risk by looking at the code. Code audit is the only reliable test for injection attack vectors and is a very standard thing.



  • @scottalanmiller said in Pentest - Who would you recommend?:

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

    Both are valuable, but one tells you a lot more, typically.

    Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.


  • Service Provider

    @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

    Both are valuable, but one tells you a lot more, typically.

    Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

    Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.



  • @scottalanmiller said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

    Both are valuable, but one tells you a lot more, typically.

    Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

    Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

    absolutely, and just like any company trying to sell you something, you will probably get both if you aren't sure what you are asking for



  • @scottalanmiller said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

    Both are valuable, but one tells you a lot more, typically.

    Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

    Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

    Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.



  • @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

    Both are valuable, but one tells you a lot more, typically.

    Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

    Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

    Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

    We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.



  • @Jimmy9008 said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

    Both are valuable, but one tells you a lot more, typically.

    Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

    Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

    Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

    We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

    Unless the attacker was an internal attacker//had links to someone internal to know a bit more...? Never forget that the biggest vulnerability in any business is the fleshy thing in front of the screen.



  • @NattNatt said in Pentest - Who would you recommend?:

    @Jimmy9008 said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    @scottalanmiller said in Pentest - Who would you recommend?:

    @Carnival-Boy said in Pentest - Who would you recommend?:

    @IRJ said in Pentest - Who would you recommend?:

    You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

    Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

    One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

    Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

    Both are valuable, but one tells you a lot more, typically.

    Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

    Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

    Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

    We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

    Unless the attacker was an internal attacker//had links to someone internal to know a bit more...? Never forget that the biggest vulnerability in any business is the fleshy thing in front of the screen.

    Yes, we are aware of this - however that is not the test. We have to trust employees. If we didn't, they would be gone.

    Internally, nobody has admin access, only IT have creds that can be admin and elevate when approved. Servers only allow 3389 on the LAN from specific IPs on our network. Creds have to be changed regularly for all users, including domain admin accounts. Workstations likewise use internal WSUS for updates, and are behind proxy for content inspection/etc.

    Even so, the test is still:

    • Out name is xyz. Document what you try, and what was successful.

    Or does nowhere offer that?


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.