Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
BCM
Durkin Tactical Franklin Armory
User Panel

Site Notices
Posted: 11/20/2012 5:31:05 AM EDT
Any recommendations for an outfit that does IT security audits/penetration testing?
Link Posted: 11/20/2012 5:59:27 AM EDT
[#1]
For a simple pen test I can recommend DataComm.  They may do a lot more than this but I used them for a simple, affordable scan. For a one time scan of about a dozen IP's it was under a grand.  You get a few reports broken down by vulnerabilities by device and a high level "executive summary" that management likes.  There's not a lot of help as far as how to remedy the vulns though.   Last time I used them I was at a Financial Institution and the testing and results held up to auditors/regulator scrutiny.
Link Posted: 11/20/2012 10:39:51 AM EDT
[#2]
Is there a specific regulation that you're auditing against? Network penetration test or something else?

Most of the large technology providers have customer audit & assessment teams, so if you need something simple and already have an account rep with Dell, HP, VMWare, Cisco, etc. I'm sure they would sell you one.

If not, there are plenty of smaller shops that offer more a vulnerability assessment service and provide reports as wintermute described at a very affordable rate depending on the scope.
Link Posted: 11/21/2012 8:42:07 AM EDT
[#3]



Quoted:


Is there a specific regulation that you're auditing against? Network penetration test or something else?



Most of the large technology providers have customer audit & assessment teams, so if you need something simple and already have an account rep with Dell, HP, VMWare, Cisco, etc. I'm sure they would sell you one.



If not, there are plenty of smaller shops that offer more a vulnerability assessment service and provide reports as wintermute described at a very affordable rate depending on the scope.


Aside from the smaller shops option, most of them use "Nessus" or one of the other free scanners maybe slightly modified.

 



The scan can be done by yourself. (Be careful doing it from home, some providers may spot it and shut off your home Internet.)




That said, the above is very true, you really need to figure out what you are addressing before bothering with it.  You can get caught up in all kinds of smoke and mirrors and miss important things, and every scan will have false postitives... if you have a nervous nancy of some kind in power you may be starting a shitstorm that never stops.  You will need to count on several hours of Googling to make sure you understand the ramifications (and can show it's a false positive) of each item, and then have people looking at the reports that can actually read....




Avoid the whole thing if you can.
Link Posted: 11/21/2012 9:05:51 AM EDT
[#4]
Quoted:

Aside from the smaller shops option, most of them use "Nessus" or one of the other free scanners maybe slightly modified.  

The scan can be done by yourself. (Be careful doing it from home, some providers may spot it and shut off your home Internet.)

That said, the above is very true, you really need to figure out what you are addressing before bothering with it.  You can get caught up in all kinds of smoke and mirrors and miss important things, and every scan will have false postitives... if you have a nervous nancy of some kind in power you may be starting a shitstorm that never stops.  You will need to count on several hours of Googling to make sure you understand the ramifications (and can show it's a false positive) of each item, and then have people looking at the reports that can actually read....

Avoid the whole thing if you can.


True for the most part. My point in recommending a vendor that you already have a contract/agreement with was that you're already stuck together and you have a line to them to get further info/advice on fixing each item, and the realistic risk in your environment. Otherwise you run the risk of just getting handed a report and the line going cold.

If OP is in the situation with a Nervous Nancy, or some regs that have anxious management oversight (PCI, for example), then doing it yourself is not a sound idea. Audits = Compliance = Legal = Better to pay someone else so you can blame them later if they divide by zero. Plus, subject matter experts don't hurt the results.
Close Join Our Mail List to Stay Up To Date! Win a FREE Membership!

Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!

You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.


By signing up you agree to our User Agreement. *Must have a registered ARFCOM account to win.
Top Top