Be very careful with this one! While there are many reputable companies who conduct so-called "penetration tests," there are also a lot of charlatans in this business. You need to do a thorough background check of any ethical hacking company you hire to penetrate your organization. You are giving these folks carte blanche to attack your systems. Ask them what their practices are regarding hiring ex-criminals. Ask them about their own background check procedure. Look for folks working at large, reputable consulting firms. Ask them about liability; what financial backing do they have if something goes awry?
Keep in mind, though, that penetration testing can be a very good thing, as it can help you find vulnerabilities before the bad guys do. The advantages include getting a "hacker's-eye" view of your security, where the rubber meets the road. The disadvantage is that your results will be a snapshot in time when you ran the test and won't reflect your environment next week. So, I recommend proceeding, but with caution.
For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: Think twice about hiring a 'white-hat' hacker
News & Analysis: Audits confirm enterprise security
Featured Topic: Penetration testing
This was first published in September 2002