Is it worth hiring a hacker to perform some penetration testing on my servers? [closed]
Solution 1:
Its good that you are thinking about being secure, but there is no such thing as a "sure system". Modern security practice involves isolating servers so breaches are contained rather than prevented. All webservers and other remotely accessible servers should be placed in an isolated DMZ that has only a limited subset of data (i.e. - as little as possible to perform the task at hand).
The best security advice is to act and plan as if servers with remotely accessible services are already compromised. For internal data, secure your most important assets so only the people who have a job role that requires them to access them can access them and there is no way for them to access the data off-site or to download it all onto a USB key.
Security is a cost-benefit equation, it is very costly to setup secure systems and you should only add additional security measures when they are required. Setting up retina scanners, man-traps, keypads and so forth to get into your office would be a waste of money unless there is something inside that you really need to be paranoid about. Spending money on security to try and reduce your "feeling" of paranoia, is not good spending. Spend it on the risk that you will be hacked and the impact if you are.
Do the best-effort stuff with your services: as few ports open as possible with as few services. Keep them up-to-date. Follow security mailing lists and bug-reports about the software you are running. Read "hardening" guides for webservers.
It is generally more cost-effective to focus on isolation and detection that prevention. IDS products or log analysers can be really useful here.
Solution 2:
The majority of my work is for a company that NEEDS very high levels of security and has the wherewithal to achieve that. As such they have "white hats" and "black hats", the former are employees who design, implement and test within limits the security systems. The latter are external guys who are reformed crackers, some with criminal records, almost all are significantly involved in open-source code projects with a security angle. The two teams absolutely never communicate with each other and "black hats" identities are known by very few. The are each tasked with doing whatever they like in whatever way they like whenever they like and against any site the company owns, their only responsibility is to immediately inform the company when they find issues, ideally with resolution solutions if available.
I know this sounds extreme but it's a policy/tactic used across the world by organisations of a certain size/responsibility and if you can afford it, and if you can find them, I suggest you strongly consider this approach.
Solution 3:
I think you'd be amazed at how bad some "security" specialists are. Count yourself lucky you haven't been led astray by gems like
"your network ports aren't open so we can't scan you, so need you to open up the servers so we can scan"
or
security wizards:"you can't use sslv2 its insecure" IT:"but the only options are SSL and cleartext" Security:"at least cleartext doesn't have vulnerabilities"
If you have 2different firms auditing you and both think you are fine, I wouldn't hire yet a third. The only thing I'd change is consider if your OS vendors have a security audit service.
And my personal favorite
Security:"we can only scan the UNIX boxes, none of the windows boxes you told us about will respond on any port" IT: yes we use domain isolation to deny access to non domain joined systems Security:that's not in the NIST guidelines, you'll have to disable that, its not secure"
Solution 4:
As someone who has managed many hundreds of penetration tests for organisations in the Fortune and FTSE 100 as well as very small local companies I have the following for you:
Broadly speaking you are doing the right thing with regards pen testing in terms of using well known external companies to see what they can get access to, however the most appropriate way to do this is:
- Understand your threats
- Understand your risk profile
- Define your controls needs - based on your paranoid clients etc.
- Build technical controls to meet those needs
- Use penetration testing to confirm correct implementation of controls
You should plan to use a variety of companies or rotate them. I tend to encourage people to use a panel of 4 or more, as each has their spacialisations and specific experience.
You will never be secure, but you can get 'secure enough' based on the risk profile your company wishes to accept. Don't assume that because you are small that you are not a target - current organised crime structures sell on exploit methodologies from successful large organisation hacks downwards, and if you are on the Internet you are a target whether you like it or not.
Various questions over on security.stackexchange.com have covered this question so it is worth having a look over there.