IT Network Penetration

Discussion in 'Int Corps' started by HumanRightsNGO, Apr 26, 2011.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Hi there,

    As a human rights ngo doing sensitive work in a number of countries we are looking to minimise any possible intrusions onto our IT systems.

    Can anyone recommend any decent IT Penetration Testing Course. (CSTP/CSTA etc). We have quite a wide variety of IT systems and would be interested in looking at ways to ensure we close off as many holes as possible.

    Also, if there are people out there familiar with such matters who would be interested in chatting, please drop me a PM.

    Many regards,
  2. Alsacien

    Alsacien LE Moderator

    From the sounds of it you have too much scope to cover internally.
    I would suggest you look to hire/train someone to CISSP level and engage the services of external specialists for penetration testing.
    Depending on your systems, various scripts can be run from various points within and outside your systems, and a list of vulnerabilities can be generated.
    Many risks can be addressed or reasonably mitigated, but some will be un-economical to do, your CISSP can advise.
    Keep in mind penetration testing forms a fairly small part of overall system security.
  3. Fronty

    Fronty Old-Salt Book Reviewer

    You could also consider the courses run by/evaluated by CESG (CHECK), or something like TigerScheme (TigerScheme - Penetration Testing training, standards and qualifications), although this may a touch too specific for your needs.

    Alternatively, if you don't want/need to bring this type of capability in-house, you could consider bringing in a team from a respected pen-testing company to evaluate your system, then working on the mitigations after they have finished.

    If you want to, PM me and I can point you in the direction of a couple of people I know for the latter.
  4. Alternatively, approach one of the market providers, ideally one with a decent set of connections and see if you can negotiate a deal for a managed service - unless you've got a big budget and a smart and agile IT department, you won't be able to make the internal business case to develop and maintain your own in-house capability. Add to that the fact that, whatever you do, the bulk of your systems will remain vulnerable to certain State actors. Drop me a PM if you want to discuss further.
  5. Do you work for Sony by any chance?
    • Like Like x 1