@IRJ said in Pentest - Who would you recommend?:

@scottalanmiller said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

@scottalanmiller said in Pentest - Who would you recommend?:

@Carnival-Boy said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

Both are valuable, but one tells you a lot more, typically.

Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.

We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.

@Breffni-Potter said in Pentest - Who would you recommend?:

@Jimmy9008 said in Pentest - Who would you recommend?:

@Breffni-Potter said in Pentest - Who would you recommend?:

@Jimmy9008 said

Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

Challenge accepted.

Lol, but at what cost £££

The fastest way to get the best pentest in the world, put out a bounty. Same way the big boys do it. If you get every type of hacker trying to crack your network for a prize, you can bet you'll find out if its secure.

This is a big problem with pen tests with many companies, how imaginative and motivated is the attacker?

Yeah, I get what you are saying, but i'd prefer to avoid challenging those that had no interest in the company, with interest, to try to 'get the goodies'. Hence asking if anybody has specific good history with any particular person...

@Breffni-Potter said in Pentest - Who would you recommend?:

@Jimmy9008 said

Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

Challenge accepted.

Lol, but at what cost £££

@Dashrender said in Disk2VHD M.2:

@Jimmy9008 said in Disk2VHD M.2:

Yep, restore to a VM from Veeam Agent worked like a charm. Thanks folks.

I wonder if Veeam had to inject any drivers?

I'm guessing it did. I selected all drives, VHDX, VSS from the Disk2VHD. Then couldn't get it online on the 2016 host no matter what options... Secure boot on/off, Gen1/Gen2, IDE, SCSI/whatever... no luck.

Created a VM, and restored the Veeam Backup... worked first time.

@tim_G what OS was your Host where it worked?

@Breffni-Potter said in Pentest - Who would you recommend?:

I am clearly biased but I've gotta throw my 2 cents in here.

https://darait.co.uk/files/darait-samplesecurityaudit-feb-2017.pdf

What you receive entirely depends on the scope, for the audit above they wanted a zero scanning check to see what their external IT provider missed out after a breach which cost quite a bit of money. The external provider left out a lot even after they got told this was happening.

Might be worth us having a chat.

I've just read the report. Looks interesting, but not what we are after. That report looks more like in response to a breach.

The brief would be... xyz is our company name. What can you do to us, of course, without actually doing the end attack. Example: We scanned for open ports on 195.40.15.81, xyz was open and is RDP. We tried brute force and got in on 3389 using non admin account. Once on, we were able to run xyz... (for an example of course, but based on far more advanced knowledge in to security and what an outside person could do than I know).

@IRJ said in Pentest - Who would you recommend?:

Have you had an assessment before?

Are you in an industry that has requirements like HIPAA, SOX, GLBA, etc?

Roughly how big is the company?

What is the exact scope of work? Are you really looking for a pen test or a security audit?

All these should factor in to who you choose for you pentest.

No previous assessment.

No industry requirements.

25 -35 employees. Thousands of customers.

Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

Hey folks,

We are based in London and are interested in having a pentest performed. Don't mind where the person is based as its testing the vulnerability of our sites and services externally anyway.

Who would you recommend?

I am not looking for an MSP or reseller or a VAR. We don't want somebody that is only looking to do a few 'checks' and then suggest we entirely swap out our firewall, routers, switches, access points etc as they are actually resellers looking to line their pockets with their own 'solutions'.

What we are looking for is for somebody to look at our attack vector from outside and point at what could be improved. We would be paying for that report. Any work done, if any, would be done by a similarly skilled consultant in that specific area or internally if possible.

So, thoughts? This is not a job posting, this is a discussion to see who the community has used before and would recommend.

Best,
Jim

Yep, restore to a VM from Veeam Agent worked like a charm. Thanks folks.

UEFI, not Secure Boot. I've used Disk2VHD many times, and have tried a few settings now. No dice.
I'm running a restore to a VM from Veeam Agent backup I have. Lets see if that works.

No luck. Upon starting VM:

These are added as SCSI disks. The boot disk is M.2 drive. I think it needs to be added to the VM as an M.2 drive, but guess HyperV doesn't support that yet...

Just creating a Disk2VHD now. I know this works with older IDE/SCSI etc as I've done that lots of time - I just assume that as VMs in Hyper-V only have IDE and SCSI as an option, attaching VHDX based on M.2 drive wouldn't boot, just like if I attach the IDE boot drive to SCSI in Gen2 VM, or Gen2 SCSI to IDE Gen1...

Lets see, Disk2VHD is running - will know shortly anyhow...

Hey folks,

I have a workstation running an M.2 SSD for the OS (Windows 10). I'd like to P2V this using Disk2VHD, temporarily, and run as a VM on an Windows Server 2016 host with Hyper-V role enabled.

I don't think though that it would work... am I correct?

I think Hyper-V can work with IDE and SCSI for VMs, but not M.2...
So I presume this wouldn't work.

What do ya'll think?

Best,
Jim

Take a backup of the machine as is. Then, try. See what its like. Have fun!
If all goes tits up, restore the backup.

This is fairly low cost. Go with the vendor for the extra 20%. 2k isn't much. Should you save that now, and lose 'all' support, its only a few days of work on one issue, unsupported, perhaps less if you have to hire additional help, and that 2k is spent.

One place to point the fingers at - spend the 2k.

I'd make sure to have the support contract read and understood in detail to make sure that 2k actually gives me good support though.

@Dashrender said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@coliver said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ said in SMB vs Enterprise:

@Dashrender said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

I'm a generalist too; I don't think that puts me at a disadvantage compared to specialists. Where many specialists would get caught up on a project, I have a range of experience which will get me past that problem.

That is a key point. In enterprise, you take a very small amount of responsibility for specific functions vs doing everything across the board. It's both good and bad, but at the end of the day you'll learn more if you have to do everything. Although you may not master a specific area.

Do you have an example of a specialist role? I'd like to see how they compare to a generalist role...

There are so many examples. Let's just take a look at a windows server admin. There is a team for handling group policy, several builds, server patching, server OS troubleshooting, application support for specific applications (these are the guys troubleshooting with the vendors), package deployment, and more.

You probably do alot more than sever admin in SMB. You're evaluating products, talking vendors, deploying actual physical hardware like racks and servers, configuring network equipment, and many more roles that aren't windows admin related.

I see what you mean, but never assumed that to be specialist.

What did you assume them to be?

Yeah, I am not sure what you were expecting? I am just using a very broad role (windows admin) as an example of how many sub specialist roles you might see in enterprise. I am pretty sure I missed some

Me neither, hence asking

Maybe i'm not a generalist, but just assumed I am. GPOs, Patching, Server Deployments etc, I do all of them... so am I a specialist!? lol

No. A Specialist does 1 or maybe 2 of those roles.

But why? They are easy roles. It is not special at all to be good at 1 or 2 of them. They are easy. I'd guess boring if all you do all day is any particular 1 or 2 of them. Specialist feels like the wrong word.

Yes, you do 1 or 2 of those things, but they are not difficult or special things. You are just solely dedicated to one of them...

A shelve stacker at a supermarket only stacks shelves all day... they are not a specialist. If you just do GPO all day, why are you a specialist...

Because you're specializing in GPO? Literally the definition of the word specialist. GPO is a massive beast with so many options and a vast amount of functionality that SMBs rarely touch even a fraction of it. The same goes for AD, patching, servers, etc... etc...

I see. I thought when applied to jobs it had more meaning. So, I could leave and just focus on only one thing, something easy... like say, installing and restoring from Veeam Endpoint Free. Then I could call myself a specialist...?

I find it odd how you consider these things to be easy. as coliver said - GPO has thousands of options. When dealing with 10's of thousands of machines, having to control a ton of aspects of a machine, GPOs can be daunting.

The same can be said for dealing with backups. There are tons of options and things to be concerned about - did the backup actually grab a usable copy of the database? did logs get pruned correctly? do restores work as expected, and on and on.

Yes, agree somewhat - but I don't consider them to be extremely difficult. Everything has things to be concerned about. The questions on the backup for example, yes - concerns, no - not difficult.

@coliver said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@Dashrender said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@Carnival-Boy said in SMB vs Enterprise:

They are. They're specialist shelf stackers. They'll be much better than you at stacking shelves because of their practice and experience. Their rate of dropping cans of beans will be much better than yours.

Ok, I can agree with this... but that means specialist != difficult. Specialist = dedicated to only one job, even if easy...

Am I on the right page now?

It absolutely can mean difficult. Do you think Exchange is easy? Exchange admins in enterprises are normally specialist. This is the only task they do all day, every day. I wouldn't call it easy.

Yes, it can mean difficult, but, doesn't have to...

Thanks folks. Cool. I always assumes specialist = always difficult. Rare. Few people have the skills etc... not, can be easy or hard, but, has to be the only thing you focus on.

There are often broad specialization as well. We have Desktop Specialists on our team. Their only focus is supporting desktops, this can be applications on the desktops, hardware, OS, etc. If it's an application they aren't familiar with it gets escalated to someone that is on my team.

So.... I am a specialist!!! Woop Woop.

I specialise in being a SMB Generalist.

@Dashrender said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@Carnival-Boy said in SMB vs Enterprise:

They are. They're specialist shelf stackers. They'll be much better than you at stacking shelves because of their practice and experience. Their rate of dropping cans of beans will be much better than yours.

Ok, I can agree with this... but that means specialist != difficult. Specialist = dedicated to only one job, even if easy...

Am I on the right page now?

It absolutely can mean difficult. Do you think Exchange is easy? Exchange admins in enterprises are normally specialist. This is the only task they do all day, every day. I wouldn't call it easy.

Yes, it can mean difficult, but, doesn't have to...

Thanks folks. Cool. I always assumes specialist = always difficult. Rare. Few people have the skills etc... not, can be easy or hard, but, has to be the only thing you focus on.

@coliver said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ said in SMB vs Enterprise:

@Dashrender said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

I'm a generalist too; I don't think that puts me at a disadvantage compared to specialists. Where many specialists would get caught up on a project, I have a range of experience which will get me past that problem.

That is a key point. In enterprise, you take a very small amount of responsibility for specific functions vs doing everything across the board. It's both good and bad, but at the end of the day you'll learn more if you have to do everything. Although you may not master a specific area.

Do you have an example of a specialist role? I'd like to see how they compare to a generalist role...

There are so many examples. Let's just take a look at a windows server admin. There is a team for handling group policy, several builds, server patching, server OS troubleshooting, application support for specific applications (these are the guys troubleshooting with the vendors), package deployment, and more.

You probably do alot more than sever admin in SMB. You're evaluating products, talking vendors, deploying actual physical hardware like racks and servers, configuring network equipment, and many more roles that aren't windows admin related.

I see what you mean, but never assumed that to be specialist.

What did you assume them to be?

Yeah, I am not sure what you were expecting? I am just using a very broad role (windows admin) as an example of how many sub specialist roles you might see in enterprise. I am pretty sure I missed some

Me neither, hence asking

Maybe i'm not a generalist, but just assumed I am. GPOs, Patching, Server Deployments etc, I do all of them... so am I a specialist!? lol

No. A Specialist does 1 or maybe 2 of those roles.

But why? They are easy roles. It is not special at all to be good at 1 or 2 of them. They are easy. I'd guess boring if all you do all day is any particular 1 or 2 of them. Specialist feels like the wrong word.

Yes, you do 1 or 2 of those things, but they are not difficult or special things. You are just solely dedicated to one of them...

A shelve stacker at a supermarket only stacks shelves all day... they are not a specialist. If you just do GPO all day, why are you a specialist...

Because you're specializing in GPO? Literally the definition of the word specialist. GPO is a massive beast with so many options and a vast amount of functionality that SMBs rarely touch even a fraction of it. The same goes for AD, patching, servers, etc... etc...

I see. I thought when applied to jobs it had more meaning. So, I could leave and just focus on only one thing, something easy... like say, installing and restoring from Veeam Endpoint Free. Then I could call myself a specialist...?

@Carnival-Boy said in SMB vs Enterprise:

They are. They're specialist shelf stackers. They'll be much better than you at stacking shelves because of their practice and experience. Their rate of dropping cans of beans will be much better than yours.

Ok, I can agree with this... but that means specialist != difficult. Specialist = dedicated to only one job, even if easy...

Am I on the right page now?

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ said in SMB vs Enterprise:

@Dashrender said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

@IRJ said in SMB vs Enterprise:

@Jimmy9008 said in SMB vs Enterprise:

I'm a generalist too; I don't think that puts me at a disadvantage compared to specialists. Where many specialists would get caught up on a project, I have a range of experience which will get me past that problem.

That is a key point. In enterprise, you take a very small amount of responsibility for specific functions vs doing everything across the board. It's both good and bad, but at the end of the day you'll learn more if you have to do everything. Although you may not master a specific area.

Do you have an example of a specialist role? I'd like to see how they compare to a generalist role...

There are so many examples. Let's just take a look at a windows server admin. There is a team for handling group policy, several builds, server patching, server OS troubleshooting, application support for specific applications (these are the guys troubleshooting with the vendors), package deployment, and more.

You probably do alot more than sever admin in SMB. You're evaluating products, talking vendors, deploying actual physical hardware like racks and servers, configuring network equipment, and many more roles that aren't windows admin related.

I see what you mean, but never assumed that to be specialist.

What did you assume them to be?

Yeah, I am not sure what you were expecting? I am just using a very broad role (windows admin) as an example of how many sub specialist roles you might see in enterprise. I am pretty sure I missed some

Me neither, hence asking

Maybe i'm not a generalist, but just assumed I am. GPOs, Patching, Server Deployments etc, I do all of them... so am I a specialist!? lol

No. A Specialist does 1 or maybe 2 of those roles.

But why? They are easy roles. It is not special at all to be good at 1 or 2 of them. They are easy. I'd guess boring if all you do all day is any particular 1 or 2 of them. Specialist feels like the wrong word.

Yes, you do 1 or 2 of those things, but they are not difficult or special things. You are just solely dedicated to one of them...

A shelve stacker at a supermarket only stacks shelves all day... they are not a specialist. If you just do GPO all day, why are you a specialist...