4

I would like to know what the risks a penetration testing company faces while performing tests for clients. For example: A penetration testing company named "A" providing services for a client called "B". So now what threats would company "A" be exposed to if they do that test for client "B"?

For example the threat to company "A"'s own data, if client "B" has serious vulnerabilities in system.

KDEx
  • 4,981
  • 2
  • 20
  • 34
coder
  • 41
  • 1

2 Answers2

1

Real penetration testers should not be using their own office bandwidth. If you attempt to access a system from a registered IP address, it's not that difficult to reverse look-up to be able to see where the traffic is coming from. If this is a red team / blue team scenario, then the internal staff already know who the attacker is, and may adjust their protections accordingly if they're trying to appear more secure in an attempt to save face. Some pentesting firms stipulate dropping the firewall connections or allowing specific accesses so they're not testing the firewall itself, but if the company is already infected this could lead to significantly more damage and new unwanted intrusions if not done properly. It's unlikely, but this may allow a tunnel into the network of Company "A" if they're using a localized net.

Penetration testers should definitely be using hardened goods, if they are professional they should be ideally very difficult to thwart, detect, and even trace.

The biggest issues might be legal.

If Company "A" doesn't have the proper legal documentation to perform the tests on Company "B," then depending on the legal jurisdictions, Company "A" could face issues with the ISP contracted by Company "B" as they are not likely party to the agreement in the case of something like DDoS (distributed denial of service) testing or added network strain. Also if the equipment Company "B" owns is housed in a facility like a server farm there may be certain restrictions on bandwidth and the actual tests being performed across the network. Certain activities could cause alert of the authorities even though "permission" has been provided by the target. Someone on the server farm's DFIR (Digital Forensics Incident Response) team might react to the intrusion.

All impacted departments at Company "B" need to be onboard. Nobody likes being sued because there is a breach in a department that is not part of the arrangement. All of Company "A" team players need to be vetted legally.

If the DFIR team at Company "B" detects non-authorized intrusion from Company "A" there could be an issue down the road. This is in the event of a rogue employee who finds an exploit they decide to take advantage of themselves on their own time. Then there are other legal issues.

Also if Company "A" doesn't outline clearly what they are testing for and they bring down the server of Company "B" with an exploit, then there may be issues that stem from the downtime if there aren't legal clauses in regard to indemnification. "We're not responsible if we find an exploit that breaks your current installation. Clients are responsible for maintaining backups." That sort of thing.

Company "A" needs to verify every system they will be testing and make sure they don't test any systems not part of the agreement. In certain municipalities it is illegal to be on a network without authorization, so it really depends on the laws of all of the areas involved. Cross-border intrusion can also have negative impacts as well, again depending on the states. They'll want to make sure if they happen to find another network that's not disclosed, that they don't go testing it as well. Simply document all of the issues and present the report with findings and recommendations.

If there is an infection, it's best to investigate the infection on-site, clear it, then perform the tests, otherwise there may be false positives and too much noise vs signal.

AbsoluteƵERØ
  • 3,104
  • 17
  • 20
0

In most cases the company that is performing a penetration test for a client faces little risk.

If the client is actively compromised by some nasty attackers, or really nasty malware - it is possible that threat may make its way into the service provider's (Company "A") machines while the test is being conducted.

In addition one would at least hope that the penetration testing company would be using at least moderately hardened machines to provide the assessment.

KDEx
  • 4,981
  • 2
  • 20
  • 34