Penetration Tests services

Discussion in 'Business & Enterprise Computing' started by akumi, Jun 23, 2020.

  1. akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    52
    Location:
    Docklands 3008
    With the recent news about some country targeting Australia in cyber attacks, it would be great if someone can recommend a reputable 3rd party organisation that does pen tests that you have personally used yourself? Also how much roughly it cost? Thanks.
     
    Last edited: Jun 23, 2020
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,315
    Location:
    Canberra
    Sir this was a Dead Cat.

    the reality is...

    clearly china is hacking us... well not right now, but they might have at some stage, and it might not have been china - but they could have

    paging millsy
     
    akumi likes this.
  3. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    9,944
    Location:
    Briz Vegas
    Yeah, China caused the DDoS attack on the census when that failed... true story.
     
  4. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,552
    Location:
    Brisbane
    We once paid Data#3 consulting mob $25k to run nessus, bargain!

    Later paid McGrathNicol about the same run a vulnerability scan too, but also do some interactive testing.

    Conclusion: accountants are far better at assessing your IT system security than Data#3.
     
    Hive, millsy, Daemon and 2 others like this.
  5. OP
    OP
    akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    52
    Location:
    Docklands 3008
    Hi everyone, just thought i'd bump this post to see whether anyone else has more recommendations.
     
  6. yoink

    yoink Member

    Joined:
    Feb 19, 2002
    Messages:
    3,494
    Have a chat with Robert from CXO: https://www.cxosecurity.com.au/ I personally know him, and he would be the guy I'd go to when we need such services.
     
    akumi likes this.
  7. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
    akumi likes this.
  8. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    The answer to who good pentesters are is dependent upon what you want to test. IoT, ICS, source code/SAST, Web, Infra. etc.
    Likewise cost answer is the same. A boring Pen test of a boring web app with limited interaction is sub $10K, and that would be as cheap as you should expect, everything else goes up from there.
     
  9. OP
    OP
    akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    52
    Location:
    Docklands 3008
    In general looking for external pentest. thanks, that's good to know how much to test a basic webapp, i got quoted $65k for 8 web app. I think i'm in the wrong industry, pretty much they also have a disclaimer protecting them even if you are compromised due to ever changing new exploits appearing.
     
  10. Myst

    Myst Member

    Joined:
    Feb 26, 2004
    Messages:
    1,350
    Location:
    Hobart, Tasmania
    Perhaps break down your infrastructure into areas of risk and cater your penetration testing towards something specific.

    As others have said it's easy for an external party to run Nessus or another industry tool across your external infrastructure, but there may be vulnerabilities in your web apps that will take someone motivated to expose after a few days of trying that aren't picked up by automated scanners.
     
    akumi likes this.
  11. OP
    OP
    akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    52
    Location:
    Docklands 3008
    Thanks, that's sound advice.
     
  12. g@z

    g@z Member

    Joined:
    Jul 27, 2001
    Messages:
    2,187
    Location:
    Melbourne
    Once had a consultant give us a network security report that included a reccomendation that we should move away from our current wifi security setup (WPA2 Enterprise) to a 'more secure' WPA with MAC address lists.... Said he used to work at ANZ as well. Milked a not for profit for company for heaps.
     
    akumi likes this.
  13. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,568
    Location:
    Adelaide
    It's a shame we can't name and shame :mad:

    akumi to expand upon what Myst suggested, figure out what has the greatest impact to your business (leakage of IP, some IP is more important than others, productivity loss due to ransomware etc) and then base your analysis on those individual risks/systems.
     
    akumi likes this.
  14. OP
    OP
    akumi

    akumi Member

    Joined:
    May 19, 2004
    Messages:
    52
    Location:
    Docklands 3008
    So in conclusion, might i confirm that WPA2 Enterprise is still better than what this person suggested WPA with MAC address lists? It would be good knowledge for me to know.
     
  15. g@z

    g@z Member

    Joined:
    Jul 27, 2001
    Messages:
    2,187
    Location:
    Melbourne
    My basic understanding, WPA and WPA2 is just password based where Enterprise is username and password based. Or another way is WPA is one password for your entire network at the network level, whereas Enterprise has that password at the user level. This means that if you run your corporate network on WPA with just a password and someone leaves and they know the password, then you have to change the password to keep them out and this means every user needs to update their PC to connect using the new password. If there is a delay from when the employeed leaves to when you change hte password, then if the employee has a grudge they could still connect to your network and do damage. Imagine a company of a few thousand people having to stop what they are doing at 2 PM on a Friday arvo and changing their wifi password because someone has just been walked out the door and they are not happy. Huge productivity loss and most likely big influx of helpdesk calls.

    With Enterprise it uses something like AD to authenticate the employees username and password to allow them to connect to the network. If a person leaves then you just disable their account and that's it.

    Using MAC address lists as well means an additional level of IT process that needs to be done with every device that needs to connect, and mac addresses are easily spoofed so there is a lot of repeated effort for no real gain.

    Regards,
    g@z.
     
    akumi likes this.
  16. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,568
    Location:
    Adelaide
    Yes. WPA2 with 802.1x is infinitely superior. WPA has been broken and MAC addresses can be trivially spoofed.
     
    Hive and akumi like this.
  17. mrpats

    mrpats Member

    Joined:
    Dec 18, 2002
    Messages:
    420
    There a few good pentesting companies out there. I've used Sentaris (www.sentaris.com.au) before very knowledgable group of ppl.

    Do some research and maybe use some open sources tools yourself to find and remediate the easy stuff first, it's a good learning experience.
     
  18. JumpingJack

    JumpingJack Member

    Joined:
    Jun 16, 2002
    Messages:
    289
    Take a ethical hacking course first yourself and beef up your companies IT security awareness

    SBS insider had a good example how a company was pentested based on an IT companies sending tech out and trusting them to fix it. Instead there pentesters and breeched the login credentials using USB rubberducky.

    Mark Fernell give good handshakes pre covid
     
    akumi likes this.
  19. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    44,217
    Location:
    Brisbane
    I'm not entirely sure why "courses" are always in such high demand. I'm now consulting to a great many places on security with zero "courses" under my belt (in anything - security or otherwise).

    Think like a bad guy. Look at your own network, and ask yourself: "how could I totally fuck this place up?". Then start plugging those holes (and/or redesigning from scratch if necessary).

    And on the pen test side of things - if your business needs it for compliance, neat. If not and you're doing it for internal reasons, and you haven't started with nessus and nmap, do that first. You'll teach yourself a lot just by screwing around with those, and then using that information to revisit the above "think like a bad guy" question.

    Once you've covered the obvious stuff, then a pen test is far more useful, because it's no longer the obvious stuff you're "discovering".

    Getting off topic here, but WiFi is always a touchy subject in enterprise, mostly because everyone has it at home and thinks they know what to do with it.

    802.1x/RADIUS has been mentioned, and is valid. I typically choose a different path for "staff training purposes". Here's what I've done several times, and it works well in moderately sized places (i.e.: 500 or fewer staff):

    1) Find yourself a WiFi system with all the usual cool stuff - does nice handover, mesh, blah, blah.
    2) Ensure it can do layer 2 isolation. This stops multicast and broadcast traffic (also stops things like Chromecast and Aidrop, so if you "need" that, consider the pros and cons).
    3) Use WPA2 shared password, make nice little QR codes you can put around your business for staff and guests to scan and join (change this every 6-12 months if you like - delegate the QR code printing and placement to juniors or lowly admin staff).
    4) Drop all WiFi users in a VLAN with no access to anything internal. If you like it can double as a guest network and give access to the Internet with a good quality public anti-malware DNS forwarders (cached by your own internal DNS server) offered via DHCP (OpenDNS, 1.1.1.2/1.1.1.3, 9.9.9.9, etc).
    5) Internal staff must then VPN in to get to the work network.

    Why the VPN internally? Because testing VPN access without a separate network and training staff on VPN use is always a problem. The technology is sound and has been around forever, but people are morons. Making them use it every day in the office as they float around means that when they go home (and with COVID, everyone's done this in 2020 at some point), the process of connecting the VPN to do work is identical to being at the office.

    Why not just 802.1x/RADIUS? Well you can if you like. But I've worked at places that had 802.1x in place and ended up with staff giving guests their AD credentials to allow said guests Internet access. Now, sure, this is a human/training/HR problem, and not a technology problem. But for the businesses I worked for, literally having 2 SSIDs was too much for enough of the staff body that alone it was becoming a real world security threat through ignorance instead of malice. Hence, the "technology solution" was easier than training (and re-training over and over as existing staff were stupid and attrition was high).

    There's no best and worst, only options. But that's another one to consider.
     
    Last edited: Sep 18, 2020
    olie and akumi like this.
  20. scips

    scips Member

    Joined:
    Apr 10, 2004
    Messages:
    521
    Location:
    Melb
    Stop looking at my plans Elvis :p

    Enough of my users were constantly "omg the vpn wont connect in the office" and I was getting tired of explaining to their little brains that VPN was only needed outside the office.

    I also figured that was a funny way to reduce wifi trouble shooting to "its wpa2, pw is haveyoutriedturningitoffandonlolits2006againlol" VPN installs from intune, so only compliant enrolled stuff = access to internals.
     
    elvis likes this.

Share This Page

Advertisement: