Ask LH: Can I Get Penetration Tested?

Dear Lifehacker, I consider myself fairly good with online security. I have strong passwords, use a password manager, have difficult secret questions and enable two-factor authentication wherever I can. However I feel that there could be some small chink in my armour somewhere that could leave me vulnerable to being hacked. I know that there are companies out there that do penetration testing for businesses but are there any similar (reputable and affordable) services for individuals? Thanks, Paranoid Android

Risks picture from Shutterstock

Dear PA,

Security isn't just about using the right technology: it's also about risk management and a sense of proportion. While on one level it's commendable that you want to double-check your own security environment, as an individual hiring a penetration tester is something of a disproportionate response and doesn't really make sense.

Penetration testing is designed to meet the needs of corporations storing highly sensitive data who need to be sure that there aren't easy ways for that data to be accessed by hackers. It's often a time-consuming and expensive exercise. For that reason alone, it's hard to imagine a penetration testing service aimed at individuals.

There's also a more fundamental issue: as an individual consumer, the chances are that you make use of external services you don't control (whether that's Gmail or SkyDrive or iTunes or Dropbox). There's no point in penetration testing performed on those services, since you have no way of implementing any changes that might be suggested. Why spend all that money if there's nothing you can do about it?

If you're already using a password manager and two-factor authentication, then you're well ahead of the curve compared to the average consumer. Does that mean there's potentially a "small chink in your armour"? Quite probably; no security system is perfect. So remaining alert and noticing new trends is definitely worthwhile, but penetration testing isn't the answer in your case, I'd suggest.

Cheers Lifehacker

Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.


    The title of this article........ so wrong

      So wrong, yet so very, very right!

        See also: "Why Mounting Your TV Above The Fireplace Is Never A Good Idea"

    Firstly, I would disagree - there are many cases where an individual may have very highly sensitive information they wish to keep private.

    I believe that a full scale "penetration test" may not be the answer but the same principles and concepts should be applied to individuals. It would be great if there was a 3rd party service available that summarised security/privacy policies and loopholes of file/info sharing/synchronising services. The article suggests that users have no control over 3rd party services and that is not true - users have the option to not use a particular service.

    I actually see this service gap as an opportunity for someone to create a very tidy online offering.

    I'm here for the gangbang?

    Er.. Getting penetration testing for free is easy.

    1) Join any given IRC network from two IP addresses/computers
    2) Post your IP of one of these connections around the place.
    3) Wait 20-30 minutes.
    4) Use second connection to listen to script kiddies/etc brag about what they tried etc etc.

    There’s no point in penetration testing performed on those services, since you have no way of implementing any changes that might be suggested.

    Actually, there are some changes that can be implemented by the individual.

    Firstly, make sure you use a different password for each service. If one is compromised, then you lose that one password.

    If the service itself is considered vulnerable, stop using it. Or, if you absolutely must use it, and it's something that stores data, like an email service or cloud storage, make sure you encrypt anything you put there, and don't go around sharing your decryption key.

    I see the value in this, but don't know whether it'd work to the same effect. Many companies use in-house software and platforms, so they're able to effectively impose/implement additional controls if required. Anyway, someone who is already using two-factor authentication and a unique password wherever possible is probably doing close to everything they can. The next step would involve using a VPN at all times, I suppose, and the one after that would be going offline entirely.

Join the discussion!

Trending Stories Right Now