Chapter 3. Penetration for Hire

This chapter discusses the skills and requirements generally expected of a person performing security penetration services. You can use this information to help determine what skills you will need to perform penetration testing or as a general guide of what to look for when hiring a security consultant to perform these services. We discuss the contents of the consultant's tool kit, or black bag, including the software and hardware likely required. (The tool kit is discussed only briefly here; it is covered more fully in Chapter 10.) Further, we discuss the two variations of a penetration test: announced to the security team and system administrators or unannounced. In either case, management must always be fully aware and in support of your activities.

Documented support for your activities from top-level management is a key component of any penetration test. The activities associated with penetration testing are considered illegal under almost any circumstances other than at the request of the company. In the following section we discuss some of the legal issues we have encountered while performing these tests.

We also include as a requirement of being a security consultant the upholding of the professional standards and ethics that are an essential part of the position. The tester may have access to sensitive data within the organization that could be of material consequence if disclosed. The organization must be confident that this information will not end up in the wrong hands. Untrustworthy testers are also in the position to leave back doors and Trojans to allow them access after the testing is complete. In addition, the results of penetration tests must be kept confidential. Computer security today is a hot topic within the media and Wall Street. Either group could produce a substantial effect on the organization if poor test results were disclosed. Most professional security consultants are well aware of these ramifications and maintain high standards of integrity and discretion. However, background checks and references are a small safeguard to assure you are hiring a trustworthy individual.