Human Rights NGO IT Penetration Testing

HumanRightsNGO

Hi there,

As a human rights NGO doing sensitive work in a number of countries we are looking to minimise any possible intrusions onto our IT systems.

Currently we are using a mix of TOR, VM, TrueCrypt and PGP though we would like to start plugging holes in other areas.

Can anyone recommend any decent IT Penetration Testing Course. (CEH/CSTP/CSTA etc). We have quite a wide variety of IT systems and would be interested in looking at ways to ensure we close off as many holes as possible.

Also, if there are people out there familiar with such matters who would be interested in chatting, please drop me a PM. Ideally we would be looking for someone in the UK or Ireland who might be willing to donate some time to helping us develop a strategy on these issues or training etc.

Many regards,
HRNGO

syklops

First off, if you go looking on internet forums for help securing your IT systems you are opening your self up for a world of trouble. You could be lucky and find a digital Robin Hood who secures your system for free from the goodness of his own heart, you could also meet someone who tell you about half of the vermiculites, backdoor your systems, and watch every piece of information that goes through them.

If you want to get a pen test done, go to a credited and established Pen Testing firm and get them to do it. If you explain the type of work you do, they may be willing to do it cheaply or even for free.

I've done a few pen testing courses, some are good, some are a waste of time, but none of them will teach someone with no experience how to do a pen test in a one week condensed bootcamp.

If you have an interest in becoming a pen tester, and develop your skills then thats fine but it will take a lot of time and effort. There is a derth of books on the subject, many of which can be gotten cheaply, where as a professional course will set you back a couple of thousand euros and while it might give you a sexy qualification, You wont learn much more than a few trips to the library.

Sorry to sound negative. Hope it helps!

Phractal

HRNGO - If you want a pentest done (as in, a FULL ONE) where you will come under many, MANY kinds of attack, just ask

I love getting legal experience with breaking into systems - and I learned the way the bad guys learn. By breaking into systems (oh, and getting caught in the end.).

I have released two things on PacketStorm under another name, and soon will be releasing a third

harney

I am not sure what pen testing is like in Ireland at the moment, but it is quite a mature service over here in the UK.

Depending on your budget, and where your offices are based you could try and have a UK company test out of a UK office of yours for you - but I think you are looking at somewhere around the £700 - £1000 per man day. Go for a company that is either CREST or CHECK certified (required for government jobs) as the lead testers need to pass an exam and subscribe to a methodology (The CREST exam is more difficult to combat the easier standards of CHECK, so go for a CREST certified person if possible).

CHECK Certified

CREST Certified

Coursewise, I went through the SANS 560 course, and it is a fairly good hands on course, but a 6 day course is as has been pointed out earlier not going to make you a security guru I have yet to meet anyone that had anything good to say about the CEH course, but that doesn't mean that it is not good. The next pen testing course appears to be London in December, but I think SANS run some courses in March in Dublin.

SANS comparing it's 560 GPEN course to CEH

Before a pen tester comes in make sure that not only are you patched to the hilt, but better yet can document your patching policies.

The following link is a fairly comprehensive "how to" framework for carrying out a pen test Pen Test Framework

Once you have written authorisation from management you could follow the parts you understand using something like Backtrack 5 along with the Nessus Vulnerability Scanner or the free open source forked version OpenVas to catch most of the low hanging fruit.

Finding out information on the internet, not such a terrible idea. Getting some randomer off the internet to hack your systems, less hot, but I'm sure you know that.

Rodger_Dodger

Hi

I would be interested in having a look at your site. If I have permission ill do some pen testing on it.

Also you mite want to investigate www.hackersforcharity.org they mite pen test/review your code for free. I'm not sure of the requirements to be honest.

Thanks
Rodge

LoLth

No one should be offering to perform any form of pentesting on the NGO site/organisation without a letter of engagement from the CIO of the company. Doing any form of testing without written consent that defines the scope of the test and what you are and are not allowed do is leaving yourself open to all sorts of trouble if you accidentally break something you shouldnt be going near.

No offense to the OP but we have absolutely no proof that he/she is actually an employee of the organisation or in any way entitled to request a penetration test.


Please restrict your answers to information on courses (as requested by the OP) or advice on registered pen-test organisations (such as those listed in harney's post).

thanks

LoLth