Is it worth hiring a hacker to perform some penetration testing on my servers ?
- by Brann
I'm working in a small IT company with paranoid clients, so security has always been an important consideration to us ;
In the past, we've already mandated two penetration testing from independent companies specialized in this area (Dionach and GSS). We've also ran some automated penetration tests using Nessus.
Those two auditors were given a lot of insider information, and found almost nothing* ...
While it feels comfortable to think our system is perfectly sure (and it was surely comfortable to show those reports to our clients when they performed their due diligence work), I've got a hard time believing that we've achieved a perfectly sure system, especially considering that we have no security specialist in our company (Security has always been a concern, and we're completely paranoid, which helps, but that's far as it goes!)
If hackers can hack into companies that probably employ at least a few people whose sole task is to ensure their data stays private, surely they could hack into our small business, right ?
Does someone have any experience in hiring an "ethical hacker"? How to find one? How much would it cost?
*The only recommendation they made us was to upgrade our remote desktop protocols on two windows servers, which they were able to access because we gave them the correct non-standard port and whitelisted their IP