Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: Security Audit

RE: Security Audit

From: PM Systems - Rick Woehler <RWoehler_at_PMSysCorp.com>
Date: Wed, 5 Sep 2001 14:17:46 -0400

I agree, get at least 5 quotes as the prices and quality fluctuate wildly.
As for time, I usually plan on three days of testing and 1-2 days for report
writing. Some have taken two weeks and some have taken two days. It
depends on your network vulnerabilities and my skills. This is why I don't
think pen tests should be based on hours worked but rather on the number of
IPs or a set, standard price for the whole test. (I can hear people cringing
about that one...)

-R

-----Original Message-----
From: bacano [mailto:bacano_at_esoterica.pt]
Sent: Wednesday, September 05, 2001 6:54 AM
To: pen-test_at_securityfocus.com
Subject: Re: Security Audit

hi2all

From: "Simon Wellborne" <simon.wellborne_at_initiative-technology.co.nz>

> We have a company or two providing quotes on a security audit, including
> penetration tests.

Get another two quotes from more companies for a start ...

> I am a little concerned about the amount of hours being quoted for some of
> these tests.

How many hours do you think an attacker will spend?
At the end this is a matter of how much money you want to spend with this
versus how deep the audit should go ... you must find a balance here.

> >From peoples experience (and I would like to hear from Professionals who
> comduct audits) about what timeframes are 'normally' used.
>
> Our network is relatively small (20-40 users + servers).

A professional probably will take 2/3 days plus one for present a report ...
an attacker that has nothing more usefull to do can have fun for some weeks
...

At the end is a matter of how much you can loose versus how much you can
spend.

hint = ask for 30% discount against a new audit 6 months from this one ...
do they want to get an audit or to get a client? =;o)

[ ]'s bacano

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 05 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]