Jump to content

Testing Yourself


esadmf

Recommended Posts

I am the system admin at my organization and my director has asked me to conduct some penetration testing. Partly because he wants to make sure we are secure, and partly because I want to do it. Not sure if this is the right place to ask this, but are there any legal concerns around me doing any testing of our network and systems? Some testing would occur with internal access to the network, and some would be external attacks.

I know not really a technical question, and if this goes somewhere else let me know.

Thanks!

Link to comment
Share on other sites

You'll need to at least sit down with the director and agree what's in scope for the test. Also, you should get a signed letter from the director permitting you to run tests against the items you decided were in scope. There could be some data protection laws in your country that should be taken into account as well.

Link to comment
Share on other sites

I'd agree with getting it in writing to say what you are allowed to do and what is out of scope.

 

I'd also make sure you stress that whatever you do, you are identifying issues, not proving issues don't exist. Another way to put it, if you find 2 issues from your testing you should write:

I found two issues on our network, there might be more.

Not:

We have two issues on our network.

It is a subtle difference but with the second, if they fix those two issues they will go away thinking they are done and secure, with the first, you are covering yourself from anything you missed.

I'd also be careful with your terminology, a vulnerability assessment looks for issues, a penetration test then exploits them to see where you can get. Without skills, you are probably going to be able to identify vulnerabilities but unlikely to be able to properly exploit things without the potential for things going wrong (i.e. running Metasploit exploits against the domain controller is bad). Drop the word hacking completely.

 

If you have any systems hosted on cloud platforms, make sure you have full permission of the hosting company, some care, some don't, some see it as you are paying so you control it, some will come after you.

If you are going to scan your exterior across the internet then be careful where you scan from, some ISPs don't like to see scanning traffic leaving their networks. Again, talk to them and get something in writing.

Link to comment
Share on other sites

One thing I'd add to the list, document EVERYTHING. All commands from top to bottom that got you those results, and make sure it can be reproducible to the extent that anyone reading your report and documentation can make it happen without your help. This way once things get patched, they can test the results from your report. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...