Pen testing/security assesments

I've been thinking lately. I know for a fact there is nothing like this in the area which I live in. This probably leaves all network security up to the admin. I'm considering trying to conduct a survey and contacting local business to see if network security assessment would be something which they would be interested in. If I receive a lot of positive responses, it may be something worth looking into when I get a little further along and find someone else who also knows the subject.

Any thoughts or ideas on this?

Find more posts tagged with

Comments

JDMurray

I did some research myself into the possibility of a business to provide WLAN pen testing for local businesses. After looking into this, I realized that the amount of lawyer-work and liability insurance that I'd need to defend myself in court from the inevitable unhappy/irrational/irresponsible customers wasn't worth the effort. There are so many new and up-coming laws about (un)authorized access to computer systems and networks that it makes it very difficult to understand the legalities that may be used against you.

Webmaster

If a company is asked to disclose if they could use a security assessment they could interpret that as admitting their network security is not tightened. Or if they are 'aware' they might even interpret it as a social engineering attack. What I'm trying to say is that I think you'd have more chance if you'd work for a company that provides such services. This would also solve most liability issues jdmurray pointed out as the company would be legally liable, not you personally.

I know for a fact there is nothing like this in the area which I live in.

Really? Did you also search for companies that are not in your area but do offer security audits and such in your area.

This probably leaves all network security up to the admin

Unfortunately still the case a probably most companies, but real audits are rarely (shouldn't be) performed by internal personel.

I'd have the same problem here though. I've seen some jobs for which a CEH cert would come in handy, but they all require a huge load of experience in a similar position. Apart from that, they consider script kiddies who are able to launch a DDOS attack as 'hackers': www.itv.com/news/world_1733952.html
The average company here doens't have any real security measures apart from a firewall, which for a moment I thought was a good thing (huge market for security professionals) but the opposite it true, most of them just don't care or don't care enough to spend money on protecting their systems, and certainly not pen testing.

I think it will take a long time before pen testing becomes common practice for the average company anywhere, and therefore it will probably always be difficult to find something in your area. Although much can be done online (testing a company's internet 'entrance'), travelling will be part of the job.