Home » Is it normal for auditors to require all company passwords?

Is it normal for auditors to require all company passwords?

Solutons:


Is this normal for a pentest?

Absolutely not. Best case scenario: they are performing “social engineering” penetration testing and want to see if you can be pressured into fulfilling a very dangerous action. Middle-case scenario, they don’t know how to do their job. Worst-case scenario they are only pretending to be an auditing company and fulfilling their request will result in an expensive breach.

In the case of a code-audit the company will obviously need access to source code. However I would expect a company who provides such services to already understand the sensitivity of such a need and have lots of forms for you to sign, and to offer to work in a strictly controlled environment. A reputable security company is going to be concerned not just with protecting you (because it is their job) but also with protecting themselves from untrustworthy clients (Our source code got leaked right after we hired you: we’re suing!!!!). All this to say: any reputable security company that doesn’t have you sign lots of contracts before going to work is not a reputable security company.

I can’t imagine any circumstances in which handing over access to any of those things would be a good idea.

Edit RE: hidden contracts

A few have suggested that the company might have simply not told the OP about any relevant contracts/agreements/NDAs. I suppose this is possible, but I want to clarify that the lack of a contract isn’t the only red flag that I see.

As someone who has built e-commerce sites and business software that has required integration with many CC Processors, I see absolutely no benefit to giving someone else access to your CC Processor. At that point in time they are no longer penetration testing your systems: they are penetration testing someone else’s systems that you happen to use. Indeed, giving out access credentials in such a way likely violates the terms of service that you signed when you started using your CC Processor (not to mention the other systems they are requesting access to). So unless you have permission from your CC Processor to hand your credentials to a security auditing company (hint: they would never give you permission), giving them that access is a huge liability.

Many others here have done a great job articulating the differences between white-box and black-box testing. It is certainly true that the more access you give security auditors, the more effectively they can do their jobs. However, increased access comes with increases costs: both because they charge more for a more thorough vetting, and also increased costs in terms of increased liability and increased trust you have to extend to this company and their employees. You are talking about freely giving them complete control over all of your companies systems. I can’t imagine any circumstances under which I would agree to that.

How should I proceed?

Don’t proceed with them. The way they act is unprofessional. Pentests carry risks for both parties, and it doesn’t seem they did anything to address them.

First, you should absolutely not hand anything over without a written contract (including an NDA). It’s surprising they routinely do business like that. How do they know the exact scope? Under which terms do they get paid? Will they just clam they’re “done” at some point or is there a timetable? Do you get a proper report? Who pays if they cause damage? Are they insured in case they lose your credentials to a third party? How will you know if a future breach is part of the test or an actual attack by someone else? Even if you trust them, these questions should certainly be answered before you kick off a pentest.

And it’s not just you, they are putting themselves at risk. If you never clarified the scope, they might be attacking some of your systems without permission, with potential legal implications.

I assumed it would mostly be black box.

Both black and white box tests are common and each approach has its own advantages. But if the mode of testing never came up, it seems like there has never been a discussion about what should be achieved by conducting a pentest in the first place. A professional contractor would have assisted you with figuring out the right conditions and methods.

(One great first question to a potential contractor is asking them for a sample pentest report. It will give you an initial idea about how they work and what results you may expect.)

Prior to any penetration test there should be a Scoping and Rules of Engagement document(s) that is signed by both parties. These documents should describe in detail what will be tested and what methods have been agreed upon by your company and the contractor. If you have not gone through this discussion with your contractor, discontinue the engagement and seek other professionals.

As a penetration tester, I have asked companies to provide accounts or laptops that they would provision a normal user. This allows to test from a malicious employee perspective. However, this is all agreed upon prior to the test in the Scoping and Rules of Engagement.

Just my 2cents.

Related Solutions

Building a multi-level menu for umbraco

First off, no need pass the a parent parameter around. The context will transport this information. Here is the XSL stylesheet that should solve your problem: <!-- update this variable on how deep your menu should be --> <xsl:variable...

How to generate a random string?

My favorite way to do it is by using /dev/urandom together with tr to delete unwanted characters. For instance, to get only digits and letters: tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '' Alternatively, to include more characters from the OWASP...

How to copy a file from a remote server to a local machine?

The syntax for scp is: If you are on the computer from which you want to send file to a remote computer: scp /file/to/send username@remote:/where/to/put Here the remote can be a FQDN or an IP address. On the other hand if you are on the computer wanting to...

What is the difference between curl and wget?

The main differences are: wget's major strong side compared to curl is its ability to download recursively. wget is command line only. There's no lib or anything, but curl's features are powered by libcurl. curl supports FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP,...

Using ‘sed’ to find and replace [duplicate]

sed is the stream editor, in that you can use | (pipe) to send standard streams (STDIN and STDOUT specifically) through sed and alter them programmatically on the fly, making it a handy tool in the Unix philosophy tradition; but can edit files directly, too,...

How do I loop through only directories in bash?

You can specify a slash at the end to match only directories: for d in */ ; do echo "$d" done If you want to exclude symlinks, use a test to continue the loop if the current entry is a link. You need to remove the trailing slash from the name in order for -L to...

How to clear journalctl

The self maintenance method is to vacuum the logs by size or time. Retain only the past two days: journalctl --vacuum-time=2d Retain only the past 500 MB: journalctl --vacuum-size=500M man journalctl for more information. You don't typically clear the journal...

How can I run a command which will survive terminal close?

One of the following 2 should work: $ nohup redshift & or $ redshift & $ disown See the following for a bit more information on how this works: man nohup help disown Difference between nohup, disown and & (be sure to read the comments too) If your...

Get exit status of process that’s piped to another

bash and zsh have an array variable that holds the exit status of each element (command) of the last pipeline executed by the shell. If you are using bash, the array is called PIPESTATUS (case matters!) and the array indicies start at zero: $ false | true $...

Execute vs Read bit. How do directory permissions in Linux work?

When applying permissions to directories on Linux, the permission bits have different meanings than on regular files. The read bit (r) allows the affected user to list the files within the directory The write bit (w) allows the affected user to create, rename,...

What are the pros and cons of Vim and Emacs? [closed]

I use both, although if I had to choose one, I know which one I would pick. Still, I'll try to make an objective comparison on a few issues. Available everywhere? If you're a professional system administrator who works with Unix systems, or a power user on...

How do I use pushd and popd commands?

pushd, popd, and dirs are shell builtins which allow you manipulate the directory stack. This can be used to change directories but return to the directory from which you came. For example start up with the following directories: $ pwd /home/saml/somedir $ ls...

How to forward X over SSH to run graphics applications remotely?

X11 forwarding needs to be enabled on both the client side and the server side. On the client side, the -X (capital X) option to ssh enables X11 forwarding, and you can make this the default (for all connections or for a specific connection) with ForwardX11 yes...

What does “LC_ALL=C” do?

LC_ALL is the environment variable that overrides all the other localisation settings (except $LANGUAGE under some circumstances). Different aspects of localisations (like the thousand separator or decimal point character, character set, sorting order, month,...

What is a bind mount?

What is a bind mount? A bind mount is an alternate view of a directory tree. Classically, mounting creates a view of a storage device as a directory tree. A bind mount instead takes an existing directory tree and replicates it under a different point. The...

Turn off buffering in pipe

Another way to skin this cat is to use the stdbuf program, which is part of the GNU Coreutils (FreeBSD also has its own one). stdbuf -i0 -o0 -e0 command This turns off buffering completely for input, output and error. For some applications, line buffering may...

Can less retain colored output?

Use: git diff --color=always | less -r --color=always is there to tell git to output color codes even if the output is a pipe (not a tty). And -r is there to tell less to interpret those color codes and other escape sequences. Use -R for ANSI color codes only....

How do I copy a folder keeping owners and permissions intact?

sudo cp -rp /home/my_home /media/backup/my_home From cp manpage: -p same as --preserve=mode,ownership,timestamps --preserve[=ATTR_LIST] preserve the specified attributes (default: mode,ownership,timestamps), if possible additional attributes: context, links,...

Can I zip an entire folder using gzip?

No. Unlike zip, gzip functions as a compression algorithm only. Because of various reasons some of which hearken back to the era of tape drives, Unix uses a program named tar to archive data, which can then be compressed with a compression program like gzip,...