12.1 Outsourcing Network Penetration Testing

There are good arguments to be made for hiring a third party to provide network penetration testing for your organization. The first is that it is always helpful to have another set of eyes that do not share your prejudices and assumptions about your network. The second is that when testing the complete information security policy, outside individuals may be a better indication of your company's susceptibility to social engineering than if you just tried to disguise your voice over the phone. Third, because this is the primary business of such firms, they have the tools and knowledge to quickly isolate and identify threats.

Even among network professionals, our own experiences affect the way that we see threats. We are likely to spend much of our time focusing on elements of network security that we are really good at, such as configuring a firewall or adjusting user privileges across the network domain. Sometimes, without even consciously realizing it, we address only lightly other security countermeasures on the network. This is behavior that commonly manifests itself through folk wisdom; "You don't know what you don't know." It is difficult to be an expert in all areas of information security, no matter what credentials or certifications an individual's resume may purport. If employing an independent third party to perform the penetration testing is not an acceptable option, at the very least, another set of trained eyes within the company should perform the penetration testing along with the network administrator.

As previously discussed, penetration testing is more than just footprinting the network and performing a scan. The most common vulnerabilities of information security are often exploited through the process of social engineering. Despite what the evening news tells us about ourselves, most people want to be helpful when they can be. This may cause them to inadvertently give out more information than they should. Ideally, this important element of information security should be performed by someone outside the company. Otherwise, a situation similar to the following may result.

(Network Administrator): Uh, hello. This is David Hasselhoff from Acme Electric. I understand you have an electrical problem in the server room. It will just be a minute for us to clear that up.

(Receptionist): Jim? Is that you? Why are you talking funny and wearing those silly glasses?

Finally, the third-party security firm most certainly has the benefit of experience. If a security expert spends the majority of your billable time looking for vulnerabilities, then it stands to reason that the security expert will be attuned to common vulnerabilities that seasoned network administrators who need to deal with many aspects of network operations may overlook. That said, do not necessarily buy into overly negative assessments of your current state of security. Remember that, for many groups like this, penetration testing is just the first step in what they hope will be additional work adjusting the security infrastructure to be more secure. I am aware of more than one security consulting firm that keeps a few "aces" in the hole to be used to secure a contract. They seem to miraculously pull some very serious vulnerabilities out of a hat when most needed.

This may remind us that the process of selecting a security consulting firm to perform penetration testing is one that we should treat like any other contractor or vendor contract. Examples of the testing and reporting that the company offers should be made available for prospective customers. Likewise, a number of references from companies in your same market sector would be ideal. Any company that cannot provide these references should be avoided. Remember that you are going to trust an outside firm with the most important data in your business. Any company that uses "hacker" themes in its advertising or contact information such as Web page information, company brochures, and e-mail addresses should most likely be avoided. This is not to say that these firms do not possess adequate talent, only that for an operation of this importance you will want to make sure you are dealing with a company of the appropriate professionalism and maturity.

There is a final consideration in hiring outside firms that was not listed above. I did not list it because I do not fully agree with the motives; but for the sake of completeness, I will include it here. It may, at times, be advantageous to hire an outside firm to test the performance of your network administrators. It may also be advantageous to hire an outside firm if there is suspicion surrounding the network team regarding its own actions with respect to the network security policy.

I find this reasoning flawed, simply because of the damage that it would inflict on the management–employee relationship. Imagine showing up to work on Monday morning to find that your manager had called in outside help over the weekend because he or she did not trust you or your work. At best, this creates a poor working environment. Unless there is an indication of illegal behavior on the part of the employee, the network administration staff should be involved in any decisions regarding outside help in penetration testing. Most good network administrators would welcome this because it allows them to improve their security — but when sprung upon them, it has been my experience that the staff treats this as a threat to their integrity and professionalism.

There are also disadvantages associated with hiring an outside firm for network penetration testing. The first is that it is unlikely that the firm will fully understand the strategic importance of all the elements of your network. Few can approach the level of understanding of your network in a short time that your network administrators have gained from months or years of working on the network.