2

We hired an outside company to perform a vulnerability test on one of our sites. Within a few hours, we had problems. Entire tables wiped clean. Entire tables deleted. Hundreds of records in other tables gone. Some table data had been modified. This is all in a db running a LIVE, production site.

We have used the company in previous years with no issues. Obviously, the site has massive security holes. But, aside from that, my question/concern is this:

  1. How common is this? I get that no pentester can guarantee they won't jack something up, but I haven't heard of an automated scan actually deleting/modifying data in the database.
  2. Should I be concerned that the automated software used could actually be malicious (ironically)?

I'm just looking for a little guidance/thoughts/other's experiences on the situation.

Learning Security
  • 21
  • 1
  • 2
    It's entirely possible that any software used is malicious, but it's also possible that it hit routines within the site which were misconfigured severely - I've seen sites affected by similar issues from someone missing a rule to keep search engine bots out of "dangerous" pages. – Matthew Nov 04 '16 at 13:34
  • 1
    Sorry to hear about your problems. Hope you had backups. – Mindwin Nov 04 '16 at 14:26

2 Answers2

4

1 This is quite uncommon. And when it happens, it is highly undesirable. I know pentesters who've lost customers for a LOT less serious screw ups.

2 yes, definitely. The evidence is there; dropping a table is something you have to be very explicit about.

I would look into the pentest agreement you signed. Any pentest contract should have a clear scope defined, excluding production environments from actions that could impact them.

J.A.K.
  • 4,793
  • 13
  • 30
  • 2
    To add to point 2; it could be that just hitting a URL wrong could trigger that, then a simple web crawler could set that off. But then you have other problems. – J.A.K. Nov 04 '16 at 15:52
0

Yes, you can and will get sued, and lose, due to case law, such as -- http://blog.ericgoldman.org/archives/2007/03/can_a_spider_en.htm

Every consulting company should have tech insurance with E&O (errors and omissions) that will cover your attorney and court fees when you do get sued for deleting production data during a pen test.

Ensure quality, safety, privacy, and security in your processes!

atdre
  • 18,885
  • 6
  • 58
  • 107