After the overwhelming success of our $995 External Penetration Testing service, Superior realized the demand present in the marketplace for equitable, value-priced security service offerings. We also understand that external security is only a small component of an organization’s overall security profile and that an evaluation of internal security practices is also absolutely critical. In consequence, we decided to develop our newest value-priced offering: our $1,495 Remote Internal Vulnerability Assessment service.
Superior Consulting has been engaged in the performance of IT review and testing services for the banking industry since 2003. Our experienced personnel have worked with over 100 financial institutions throughout the Midwest in the evaluation of their network security and internal control systems. Beginning in 2009, we began offering our IT security testing services to other industries, including the healthcare, construction, education, and manufacturing sectors. In the course of our experience in these industries, we’ve seen a wide array of different prices and descriptions of “penetration testing services”, ranging from the use of simple automated tools to generate a canned printout to in-depth, exploitative penetration testing spanning multiple days or weeks. We’ve also seen drastically varying prices from a litany of different providers, including network service providers, accounting firms, specialized security firms, and basic sole proprietors. In order to clarify any questions you may have regarding this service, we have provided a series of common questions below. Also, please be sure to read the Terms & Conditions of this advertisement for further information.
What does the vulnerability assessment cover and how will it be performed?
This service is an off-site, non-exploitative test of up to 100 individual internal Internet Protocol (IP) addresses or nodes owned or controlled by your organization. To perform this service, you must designate the IP addresses you wish to be tested, and we will perform testing using our toolkit of automated testing solutions.
What is a non-exploitative test?
The IT security industry has not yet developed consistent or standardized terms for describing the specific characteristics of penetration tests or vulnerability assessments. In many settings, the terms ‘penetration test’ and ‘vulnerability assessment’ may be used interchangeably, while in other settings a ‘penetration test’ may refer to more in-depth testing that seeks to actively exploit detected vulnerabilities in order to compromise (or demonstrate the ability to compromise) specific systems or assets. When we describe our testing as non-exploitative, we are referring to the fact that we will report on detected vulnerabilities or weaknesses but we will not attempt to actively exploit these findings. Within the context of this service, the terms penetration test and external vulnerability assessment are generally synonymous while internal vulnerability assessment refers to testing focused on devices ‘behind’ the firewall or logically located so that they are not directly Internet-facing.
What tools will you use to perform the test?
Our toolkit is constantly reviewed to ensure we are able to meet the challenges presented by a continuously evolving security environment. Representative tools we have used include Metasploit, Nessus, & Retina. The tool(s) selected for your engagement may vary based on our perception of the appropriate tool necessary to properly assess your environment. As a rule, we only utilize subscription-based tools in order to ensure we are using tools with updated definition files to facilitate testing for recently emerged exploits or vulnerabilities.
How frequently will the test be performed?
Our $1,495 service fee provides for the performance of a single test at a time of your choosing. We also offer more frequent testing intervals for the same discounted price per occurrence. Many organizations perform testing on a predefined schedule, such as monthly, quarterly, or semi-annually. As a best practice, we strongly encourage all organizations to perform an internal vulnerability assessment at least annually or after any major changes in patching practices or solutions. An internal vulnerability assessment is one of the most effective means of validating that patch management practices are effective. Periodic vulnerability assessments are also an excellent mechanism for demonstrating the effectiveness of your overall monitoring program to regulatory authorities.
What is required to perform a remote test and how will you attach to my network?
We will work with your administrative personnel to determine the most effective manner in which to perform the internal vulnerability assessment. Generally, your test can be performed through allowing Superior a temporary Virtual Private Network (VPN) connection into your internal network. We will require domain-level administrative credentials in order to perform the test and we will require you to setup a dedicated account for this purpose. All testing is originated through use of a dedicated Virtual Machine (VM), which will be the only device that fully authenticates to your network. We do not re-use VMs for testing and each test will be conducted using a ‘new’ VM instance created from a clean template. We strongly recommend our clients enable any necessary logging and adopt practices to ensure our administrative and VPN accounts are terminated or disabled after the completion of our testing.
Who will perform our test? Do you utilize 3rd party contractors or outsourcing for this service?
Your test will be performed by direct employees of Superior Consulting, LLC. At present, all of our employees are based in the United States, subject to extensive criminal and civil background checks, and have confidentiality agreements with our firm. We will not utilize 3rd party contractors to perform any of our testing without providing prior notice to you and, unless otherwise stated, all testing will be performed by our direct employees. We do not outsource any testing or assurance activities outside of the United States.
In an effort to simplify the morass of different terms and highly variable – often excessive – pricing for this service, we decided to develop a competitive, value-based, fixed priced offering based on the needs of our client organizations. We believe our fixed $1,495 pricing represents a clear and equitable price for this service.
$1,495 seems to be a low price. ABC Firm charged us 3x that price for our last vulnerability assessment. How do we know your testing is thorough and effective?
Superior Consulting has been working with financial institutions throughout the Midwest since 2003. During that time, we have developed an excellent reputation as one of the leading providers of consulting services to banks and data centers in this region. We can certainly provide a list of client references to you upon request. Our audit personnel are consummate professionals and have years of experience in the banking and IT industries.
One of the characteristics that set us apart from other firms is the manner in which we structure our IT audit teams. Many firms utilize individuals with a traditional audit background to perform testing services. Although these individuals may possess credentials such as the CISA or CEH, many do not have practical work experience as a network administrator, which diminishes their ability to understand the mechanics or results of a penetration test since they haven’t worked directly with the technologies or systems being audited. Instead of this approach, we have been fortunate to maintain blended teams that include personnel with experience in the administration of complex network environments and personnel with more traditional IT audit experience, as they generally have a better knowledge of internal control systems and audit practices. In practical terms, this approach yields more in-depth, technical IT assessments while ensuring that we fulfill all necessary audit functions and provide a comprehensive evaluation of your environment.
For our internal vulnerability assessment services, you will work with one of our experienced technical IT auditors, which provides our firm with the ability to discuss – in detail – the findings of our review with your internal IT personnel or 3rd party network services provider. In addition, we actively attempt to filter false positives or errors generated by our automated tools before providing you with a report – this practice contrasts with many other service providers, who have a tendency to force the workload of filtering all false positives onto your personnel.
What is the time frame for performance of a vulnerability assessment?
We can generally perform your internal vulnerability assessment within one to two weeks after we have a signed engagement letter. If your circumstances require an expedited test, please don’t hesitate to contact us as we can often create availability in our schedule for you.
How will we receive the findings from our vulnerability assessment?
We issue a formal report for all of our review services. This report will include an overview of the findings from our test (management report), as well as any recommendations regarding remediation. A copy of the full testing results will be included as an appendix to our report. We issue all of our reports in electronic format (PDF) via our proprietary secure website or via secure e-mail. Report turnaround time generally requires one to two weeks in order to process the report through our internal quality control function; however, expedited issuance of reports is available upon advance request. Please Contact Us if you would like to receive a sample external penetration testing report.
I have over 100 internal IP addresses to test – can Superior provide testing services for my organization?
Certainly. Please Request a Quote in order to receive a customized proposal specific to your environment and the volume of addresses you require to be tested. We regularly provide testing for organizations with more than 100 distinct IP addresses; however, we find that most smaller, non-complex organizations have less than 100 addresses that require testing, which is why we’ve set our pricing threshold at this level.
This advertisement represents an ‘invitation to treat’ and any acceptance of the advertised terms will not be considered a binding contract, which requires the written execution of an engagement letter with Superior Consulting, LLC. This engagement letter includes additional restrictions and limitations regarding the advertised service and must be executed before the commencement of these services. The terms stated above, as well as through any mailings, brochures, or electronic advertisements, may be amended, or this advertisement may be revoked or cancelled, at any time by Superior Consulting, LLC, with or without notice.
As advertised above, the stated service fee will cover the performance of external, off-site penetration testing services for up to 100 individual internal Internet Protocol (IP) addresses or nodes specified by the client. This testing will be conducted using automated tools of our choice and we will rely upon information provided to us by the client in the performance of this test. At the conclusion of our testing, we will issue a report to the client in electronic format via secure e-mail or our secure website.
The terms advertised above are only available to formally organized business or non-profit entities located in the United States. Entities located outside the United States should contact us for further information regarding these services.