Another story from the trenches:
Client: “You will have to work on site for this job. The data you’re gonna work with is of course highly sensitive and confidential. We cannot risk any of it to leave the company premises.”
Ok, so at this point, you usually prepare yourself to disillusion the client about how secure large company networks usually are and through how many insecure systems their data travels daily (including the Internet). But this time, they had a solution to the problem:
Client: “Ok, how about this: We take an image of your hard drive when you enter the building. When you leave in the evening, we take another image and see what data changed. This way, we know if any sensitive data leaves the company.”
No further questions. On the bright side, it didn’t take long to convince them that this wouldn’t really solve the problem.
The moral of the story: If you hire pentesters to deliberatly hack your network and search for security vulnerabilities, make sure that you trust them. Otherwise, search for another company. This is one of the reasons why we always have a personal meeting even before we send you a quote. We want you to know who we are and that you can entrust us with the highly sensitive task of pentesting your network. All our pentesters are listed on our homepage, something you usually do not see with other companies. You may want to read this older blog post about pentesting as a me-too-business too, a topic also relevant when thinking about trust.