Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
PSA
Member Login

Posted: 11/20/2012 4:31:05 AM EST
Any recommendations for an outfit that does IT security audits/penetration testing?
Link Posted: 11/20/2012 4:59:27 AM EST
For a simple pen test I can recommend DataComm. They may do a lot more than this but I used them for a simple, affordable scan. For a one time scan of about a dozen IP's it was under a grand. You get a few reports broken down by vulnerabilities by device and a high level "executive summary" that management likes. There's not a lot of help as far as how to remedy the vulns though. Last time I used them I was at a Financial Institution and the testing and results held up to auditors/regulator scrutiny.
Link Posted: 11/20/2012 9:39:51 AM EST
Is there a specific regulation that you're auditing against? Network penetration test or something else?

Most of the large technology providers have customer audit & assessment teams, so if you need something simple and already have an account rep with Dell, HP, VMWare, Cisco, etc. I'm sure they would sell you one.

If not, there are plenty of smaller shops that offer more a vulnerability assessment service and provide reports as wintermute described at a very affordable rate depending on the scope.
Link Posted: 11/21/2012 7:42:07 AM EST

Originally Posted By rubywat:
Is there a specific regulation that you're auditing against? Network penetration test or something else?

Most of the large technology providers have customer audit & assessment teams, so if you need something simple and already have an account rep with Dell, HP, VMWare, Cisco, etc. I'm sure they would sell you one.

If not, there are plenty of smaller shops that offer more a vulnerability assessment service and provide reports as wintermute described at a very affordable rate depending on the scope.

Aside from the smaller shops option, most of them use "Nessus" or one of the other free scanners maybe slightly modified.

The scan can be done by yourself. (Be careful doing it from home, some providers may spot it and shut off your home Internet.)

That said, the above is very true, you really need to figure out what you are addressing before bothering with it. You can get caught up in all kinds of smoke and mirrors and miss important things, and every scan will have false postitives... if you have a nervous nancy of some kind in power you may be starting a shitstorm that never stops. You will need to count on several hours of Googling to make sure you understand the ramifications (and can show it's a false positive) of each item, and then have people looking at the reports that can actually read....

Avoid the whole thing if you can.
Link Posted: 11/21/2012 8:05:51 AM EST
Originally Posted By RR_Broccoli:

Aside from the smaller shops option, most of them use "Nessus" or one of the other free scanners maybe slightly modified.

The scan can be done by yourself. (Be careful doing it from home, some providers may spot it and shut off your home Internet.)

That said, the above is very true, you really need to figure out what you are addressing before bothering with it. You can get caught up in all kinds of smoke and mirrors and miss important things, and every scan will have false postitives... if you have a nervous nancy of some kind in power you may be starting a shitstorm that never stops. You will need to count on several hours of Googling to make sure you understand the ramifications (and can show it's a false positive) of each item, and then have people looking at the reports that can actually read....

Avoid the whole thing if you can.


True for the most part. My point in recommending a vendor that you already have a contract/agreement with was that you're already stuck together and you have a line to them to get further info/advice on fixing each item, and the realistic risk in your environment. Otherwise you run the risk of just getting handed a report and the line going cold.

If OP is in the situation with a Nervous Nancy, or some regs that have anxious management oversight (PCI, for example), then doing it yourself is not a sound idea. Audits = Compliance = Legal = Better to pay someone else so you can blame them later if they divide by zero. Plus, subject matter experts don't hurt the results.
Top Top