How to choose a Pen Tester

The most important criteria in choosing a Penetration Tester is not technical skill. It is not competence. It is not even ability to communicate findings. It is, quite simply, trustworthiness.

Remember, a penetration test is done to assess the security of an implementation. For example, when a new web site is rolled out, a penetration test is often done to check that the site’s firewall is set up correctly, that the web server is properly locked down, and that default passwords have been changed.

When allowing a pen test to be done, you are letting someone, or even a team, look through your computers and networks. That team is looking for ways to violate controls and gain access to sensitive information. You have brought them in to find holes before the bad guys do. And, it needs to be done discretely.

What you don’t want is that the testers end up disclosing those issues found to others either insider or outside your company. Methods of disclosure include, but are not limited too, emails, presentations at conferences or even blog postings. Think that this isn’t a problem? Consider that within the past six months, I was told of a story where a pen test outfit was fired from a company for reporting pen test findings in a blog posting. (As I like to say, not cool.)

How can you lessen your risk? Use the following criteria when selecting personnel for penetration testing assignment.

  1. 1 Trustworthiness – Can the person or team selected be trusted with the sensitive information that they might uncover? The number one indicator of trustworthiness is usually experience. It is hard to be in the pen test business for long if you can’t be trusted. NOTE: In my opinion, certifications do not address trustworthiness. They address technical skill.
  2. 2 Discipline – Will the pen tester stay within the lines drawn for the assignment?
  3. 3 Competence – Does the pen tester have the ability to correctly use his/her technical skill in order to find vulnerabilities? My experience has been that competent pen testers can find more with nmap than less competent ones.
  4. 4 Technical skill – Does the pen tester understand the technology that they are testing? (You would think that this would be number one, right?)
  5. 5 Communication – Can the pen tester relate the findings into meaningful issues?
  6. 6 Business logic – Can the pen tester turn the issues into mitigation and/or remediation strategies?

Use a scorecard when looking for a pen tester where you assess the above qualities, in the order listed above. This will help you get the best results for your penetration testing.


phishing email analysis

Phishing attacks are, in a word, fascinating. The basic goal of a phishing attack is to get personal information, such as credit card numbers, bank account information or passwords for online banking. For the phishing attack to work, the email needs to look legitimate.

Let me show you some classic warning signs of a phishing email, using an email that I recently received.

First, the email header is a dead give away. (Email headers are not usually shown by default. You will need to look for them based upon the program you are using to view email.) Notice that this message originated from the email server located in Taiwan

Received: (qmail 22075 invoked from network); 14 Jan 2009 18:01:05 -0000
Received: from (HELO ([])
(envelope-sender )
by (qmail-ldap-1.03) with SMTP
for ; 14 Jan 2009 18:01:04 -0000
Received: from User ([])
by ([]);
Thu, 15 Jan 2009 01:29:59 +0800
From: “Support”
Subject: Notification from eBay – Unlock your account.
Date: Wed, 14 Jan 2009 12:34:57 -0500

Next is the message itself. (Discount for the moment the fact that I don’t have an eBay account.) Often, these accounts have mispellings or gramatical errors. In this case, please note the phrase in the email, “Your online has expired”. I am guessing the author meant my online account.

Dear eBay Member,
This is your official notification from eBay. Your online has expired.
If you want to continue using our service you have to renew your online.
If not, your online will be limited and deleted
To confirm your Account records click on the following link:

Oh, look closely at the website that you need to go to in order to “reactivate” your account. If the url is listed using numbers and not the name of the site, this is often a BIG warning sign. (There are other url problems that I will address in future postings.)

Thank you,
Scott R. Shipman, CIPP Senior Counsel, Global Privacy Practices eBay Inc.

—End of email

And, a forth warning sign. This email was not personalized. Clearly it was just a broadcast email.

So, this message contained 4 warning signs that it was a phishing attack. Have a little fun with you next piece of spam email, check to see if you can find all of these warning signs in the email message!

What should you do? Two options come to mind:
Safe option: Just delete the message and move on!
Fun option: Go to the site, and supply bad information. Fill the hackers database with useless information. Then, they will have to check the legitimacy of all their entries, causing them to waste time.

My advice is to have fun! (literally)