Which of the following is NOT a valid reason to use external penetration service firms rather than corporate resources?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Two points are important to consider when it comes to ethical hacking: integrity and independence.
By not using an ethical hacking firm that hires or subcontracts to ex-hackers of others who have criminal records, an entire subset of risks can be avoided by an organization.Also, it is not cost-effective for a single firm to fund the effort of the ongoing research and development, systems development, and maintenance that is needed to operate state-of-the-art proprietary and open source testing tools and techniques.
External penetration firms are more effective than internal penetration testers because they are not influenced by any previous system security decisions, knowledge of the current system environment, or future system security plans.
Moreover, an employee performing penetration testing might be reluctant to fully report security gaps.
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Appendix F: The Case for Ethical Hacking (page 517).
Answer: A. They are more cost-effective
Explanation: External penetration service firms are hired to test the security of an organization's computer systems and network infrastructure. The reasons to use external penetration service firms are many, including independent review, specialized expertise, and a fresh perspective.
However, cost-effectiveness is not one of the valid reasons to use external penetration service firms. In most cases, external penetration testing firms are more expensive than using in-house resources. This is because external firms bring in highly talented and experienced professionals who can detect vulnerabilities that in-house personnel may not be able to find.
Other valid reasons to use external penetration service firms include:
B. They offer a lack of corporate bias: External penetration testing firms provide an unbiased perspective on the organization's security posture, without any internal political or personal agenda.
C. They use highly talented ex-hackers: Many external penetration testing firms hire former hackers who have experience and expertise in identifying vulnerabilities in computer systems and networks.
D. They ensure a more complete reporting: External penetration testing firms provide a more comprehensive and detailed report on the security weaknesses and vulnerabilities of an organization's systems and network infrastructure, which can help the organization to identify and remediate these issues more effectively.
In conclusion, cost-effectiveness is not a valid reason to use external penetration service firms. Organizations should consider other factors such as independence, expertise, and comprehensive reporting when selecting external penetration testing firms.