When you gonna do penetration test (pen-test), it is very important to make sure that your organization has qualified experts to do it. And there’s more.
The quality of your tester defines the test results. The more expertise of your tester, the bigger possibility you’ll get an in-dept view about your security systems.
Pen-test has quite huge potentials to make new trouble. It differs from any other testing method that enable the tester work with your IT team. This is why pen-test has laten problems. Let me explain.
In a system attacking process, a pen-tester has to be cautious to not make any fatal damage. Why? Because the attack could violate your organization’s policy, messing up with your operation system, modifying ownership structure, etc. Thus, a careless pen-tester (wait… a careless tester?), lack of expertise, or disobeying ethics tends to cause huge problem for you.
If your IT staf detects the blackbox (zero knowledge) pen-test, usually he will be shocked. Because he doesn’t get your notification first. That’s why a pen-tester has to make sure that your IT staff will not overact. Because the test is allowed by management but covered from tech-team.
It will be ridiculous if one of your staff reports the case to the police. Everyone will be embarassed because the test is under your permissions. Except, there is incident happens outside the scope of agreed test. Or, the tester does something immoral. (Stealing your datas or consciously tear down your IT system).
MAQ (Most Asked Question): Should we hire hackers to do pen-test?
Well, If “hacker” refers to people who do online vandalizm, the answer may be NOT! If you want to test your door-locking systems, why would you hire a painter?
NAQ (Next Asked Question): Is the testing cost expensive?
It depends on pen-tester expertise level, duration, or scope of the test. Duration affects result. For maximum result, you need intensive testing with enough duration. “With price, comes face.” (Kidding. Corrrect me because I’m wrong. I’m just free translating C++ Java proverb). There’s no free lunch, dude.
Of course there is. Just visit hackers community and challenge them. Most of the time they will not give their “lunch”. But when you get the volunteer, your lunch will be free. My advise is: create controversial issues. Such as bring up ethnicity, religious, race and inter-relations issue. Or, convince them that the organization is sponsored by zion. Challenge accepted. Thank me later.
And you know what?
Penetration test is more than just a technical attack. You have to consider the business side. Such as making sure how the result will effect business decision. Pen-test has to be inline with your organization security strategy.
If you’re interested in pen-test, you have to test the pen-test. Seriously.
A confession that he’s a hacker is not enough. May be he tell you that he has sent to jail because of his hacking activiy. May be he tell you that he’s an ethical hacker. His “cool-bad-guy-hacker story doesn’t guarantee his skill. Real hacker will never be “ethical”. But, he won’t get caught either. A perfect combination of bravado, curiousity, and intelligence.
Ethics doesn’t substitute skills. Like the Y Combinator founder said.
Only script kiddies and hackers wannabe get caught. That’s what you get when you have big ego with tiny skills.
Well, at the end of this article I’m gonna tell you a secret:
Never trust a guy who calls himself an ‘ethical hacker’. Especially if he shows you his certifications. Why? Just think of him like a Indonesian who got Driving License in a fucking easy way. You got the license, but not the skill.