We are seeing more and more people putting their sites through the mill to see how they shape up during a shakedown. Be it automated vulnerability scanning for compliance needs (PCI or Cyber Essentials for example) or full on active penetration testing – these highlight the loose ends, failures, and anything that needs addressing through the eyes of the attacker without having to find out the hard, painful, time consuming, legal and expensive. They are money well spent in this regard. However, there are a few things to consider before you tip up to the starting line ready to go:
Do I have permission to test?
Testing of this sort is a hostile act. It will be rattling the windows and doors, and maybe destructive in doing so. As such we request that we are given advanced notice of the event and that we have the following information to hand and confirmed:
– The name of the company doing the test;
– Confirmed contact details for an engineer in a position to stop the test immediately;
– Formal confirmation that you are willing to accept liability for any collateral damage that results.
Will this impact others?
We offer many many solutions and tools. Some have control panels, some do not. Some are single machines, some are sprawling estates of hardware. Some blur the lines. What we are clear on however is that we do not allow testing on shared hosting environments. The risk to the other denizens of that server is just too large – equally, you would not want someone else’s testing to interrupt your operations, no matter how short or long term.
This raises the valid point that if you are in a position to need compliance testing of this sort – that it is possible you are using the wrong tool for the job. Virtual Machines, Cloud Servers and Dedicated Servers are the layers above shared hosting – and provide environments that can be configured to the needs of the individual – and locked down to their needs.
We permit vulnerability scans and pen tests on Virtual Machines and Dedicated servers. We do not permit them on shared hosting environments.
We would require a written or email confirmation of the scan, and confirmation of the window within which it is going to occur, and from what address ranges.
We would require contact details for the authorized scanning vendor – and means to terminate the scan if needs be.
All common sense, and intended to ensure we do not see it as an attack, or threat, and have the ability to make it stop should the wheels come off. If in doubt ask : )