October 21, 2009
Security isn't something that I talk about a lot. It's not that I don't think about it, it's just that, as far as blogging on security goes, there are such better options that I don't feel like I can bring anything to the table.
Every once in a while, though, I feel like it's something I should cover, and today is one of those days. My neighbor in the office building called me up this morning and asked what I knew about penetration testing - specifically about companies providing that service. I told him that I was familiar with the practice, and went over Red Team / Blue Team scenarios, but that I didn't really know any companies that provided that service, or even just normal penetration testing.
Apparently, he had contracted with a company that would perform light network based reconnaissance and report any vulnerabilities they found. I assume that they were just using Nessus or something similar. Anyway, he wasn't happy with them. They went so far as to suggest he add them to the whitelist on his firewall, so that they wouldn't get blocked while doing a syn scan. Ridiculous, in my book. But I'm not a network security professional.
Instead, I would like to appeal to you. Have you ever had another company come in to assess your IT security? What kind of methods did they use? How aggressive were they? And can you suggest a company that is thorough and reliable? I'd love to hear about your experiences, and I know my neighbor would as well.