I’d like to investigate the options for pen testing our network perimeter. Has anyone done this recently and who did you employ to do it?

Cheers.

Coyote,

I’ll find out who we use and get back to you later…

We have to get it done monthly as part of our PCI accreditation.

We use nessus for our internal vulnerability scanning.

http://www.tenable.com/products/nessus?gclid=CMG4kPKetLsCFTMftAodRiAAoQ

Cheers,

Paul

Whoever you use, don’t wait to do it again – contract them to do it regularly.

We used http://www.dionach.com/ for a few years, seemed OK (we now have our own security services consultancy business so do it in-house).
Something that amused me a couple of years ago is that our HR department tried to ban the use of the term “penetration testing” internally in case it offended anyone, fortunately common-sense prevailed…

I have a team of 10 testers and we have a few UK teams as well all crest certified. I would test your apps as well as they will be more vulnerable than your network unless it was built by a numpty. Feel free to drop me a line.

If you don’t take NZCol up on his offer then I’d recommend pentest
http://www.pentest.co.uk
I can provide contact details. They’re NorthWest based as well.

He is right though, it’s quite hard to get your infrastructure wrong so app testing is a lot more important nowadays. get in touch if you want a chat about this.

If your new company is on a budget (this stuff is rarely cheap), then again, lets have a chat. One of my pentesting guys will probably be up for a bit of weekend work.

NZCol which company is it?

another offer here i work for one of the bigger independent security consultancies so drop me a line if you want any info.

samuri – you clearly haven’t seen some of the networks i’ve tested, it’s amazing how wrong many professional people get their external networks. And internal is nearly always done poorly.

We had Pen testers in not so long ago.

First thing they did was ask for physical access to the network and a list of all the subnets in use. Then they sat there with Backtrack open all day. I don’t know how much we paid for that but I’d hazard “too much”.

Yeah, fair enough. Here’s me assuming people build networks how I tell my guys to build them. 😉

If they were using Backtrack, Cougar, they really were a bit crap, it’s no longer being developed and has been replaced by Kali.

If you’re doing this for compliance then any old tools+report pen test company will do. If you’re doing it to really figure out what might happen and to set security budgets then you need to be testing your people and processes too (social engineering, phishing, incident response etc). This naturally costs more but will provide far more valid ‘state of the nation’ and give you a better idea of how you need to spend your security budget beyond tweaking some firewall rules and patching IIS.

The company I work for use IRM

As always guys you have served up a smorgasbord of information.

Thanks! 😀

I used to work for the NCC Group based in Manchester. One of the bigger Pen testing firms. I work in Test Automation, and from what I saw these guys were very good.
Cover everything from physical pen / access testing to white hat hacking.

Funnily enough I’ve got a guy from NCC popping over after Christmas.

oh well i can’t actually fault ncc, although most of my friends there have swapped companies recently