At Superior, we understand the challenges of today’s adverse economic environment. In every organization, management is faced with tradeoffs and decisions to preserve institutional profitability, but validating the security of your IT systems should not fall victim to the times! This premise was the genesis of our fixed $995 value-priced penetration testing service.
Superior Consulting has been engaged in the performance of IT review and testing services for the banking industry since 2003. Our experienced personnel have worked with over 100 financial institutions throughout the Midwest in the evaluation of their network security and internal control systems. Beginning in 2009, we began offering our IT security testing services to other industries, including the healthcare, construction, education, and manufacturing sectors. In the course of our experience in these industries, we’ve seen a wide array of different prices and descriptions of “penetration testing services”, ranging from the use of simple automated tools to generate a canned printout to in-depth, exploitative penetration testing spanning multiple days or weeks. We’ve also seen drastically varying prices from a litany of different providers, including network service providers, accounting firms, specialized security firms, and basic sole proprietors.
In order to clarify any questions you may have regarding this service, we have provided a series of common questions below. Also, please be sure to read the Terms & Conditions of this advertisement for further information.
What does the penetration test cover and how will it be performed?
This service is an off-site, non-exploitative test of up to 25 individual Internet Protocol (IP) addresses owned or controlled by your organization. To perform this service, you must designate the IP addresses you wish to be tested, and we will perform testing using our toolkit of automated testing solutions.
What is a non-exploitative test?
The IT security industry has not yet developed consistent or standardized terms for describing the specific characteristics of penetration tests or vulnerability assessments. In many settings, the terms ‘penetration test’ and ‘external vulnerability assessment’ may be used interchangeably, while in other settings a ‘penetration test’ may refer to more in-depth testing that seeks to actively exploit detected vulnerabilities in order to compromise (or demonstrate the ability to compromise) specific systems or assets. When we describe our testing as non-exploitative, we are referring to the fact that we will report on detected vulnerabilities or weaknesses but we will not attempt to actively exploit these findings. Within the context of this service, the terms penetration test and external vulnerability assessment are generally synonymous.
What tools will you use to perform the test?
Our toolkit is constantly reviewed to ensure we are able to meet the challenges presented by a continuously evolving security environment. Representative tools we have used include Metasploit, Nessus, & Retina. The tool(s) selected for your engagement may vary based on our perception of the appropriate tool necessary to properly assess your environment. As a rule, we only utilize subscription-based tools in order to ensure we are using tools with updated definition files to facilitate testing for recently emerged exploits or vulnerabilities.
How frequently will the test be performed?
Our $995 service fee provides for the performance of a single test at a time of your choosing. We also offer more frequent testing intervals for the same discounted price per occurrence. Many institutions perform testing on a predefined schedule, such as monthly, quarterly, or semi-annually. As a best practice, we strongly encourage all organizations to perform a penetration test after any changes to your firewall configurations or installation of new, externally-facing hardware. An external penetration test is the only way to effectively validate that these changes did not result in the creation of new vulnerabilities. Periodic penetration testing is also an excellent mechanism for demonstrating the effectiveness of your overall monitoring program to regulatory authorities.
Who will perform our test? Do you utilize 3rd party contractors or outsourcing for this service?
Your test will be performed by direct employees of Superior Consulting, LLC. At present, all of our employees are based in the United States, subject to extensive criminal and civil background checks, and have confidentiality agreements with our firm. We will not utilize 3rd party contractors to perform any of our testing without providing prior notice to you and, unless otherwise stated, all testing will be performed by our direct employees. We do not outsource any testing or assurance activities outside of the United States.
In an effort to simplify the morass of different terms and highly variable – often excessive – pricing for this service, we decided to develop a competitive, value-based, fixed priced offering based on the needs of our client institutions. We believe our fixed $995 pricing represents a clear and equitable price for this service.
$995 seems to be a low price. ABC Firm charged us 3x that price for our last penetration test. How do we know your testing is thorough and effective?
Superior Consulting has been working with financial institutions throughout the Midwest since 2003. During that time, we have developed an excellent reputation as one of the leading providers of consulting services to banks and data centers in this region. We can certainly provide a list of client references to you upon request. Our audit personnel are consummate professionals and have years of experience in the banking and IT industries.
One of the characteristics that set us apart from other firms is the manner in which we structure our IT audit teams. Many firms utilize individuals with a traditional audit background to perform testing services. Although these individuals may possess credentials such as the CISA or CEH, many do not have practical work experience as a network administrator, which diminishes their ability to understand the mechanics or results of a penetration test since they haven’t worked directly with the technologies or systems being audited. Instead of this approach, we have been fortunate to maintain blended teams that include personnel with experience in the administration of complex network environments and personnel with more traditional IT audit experience, as they generally have a better knowledge of internal control systems and audit practices. In practical terms, this approach yields more in-depth, technical IT assessments while ensuring that we fulfill all necessary audit functions and provide a comprehensive evaluation of your environment.
For our penetration testing services, you will work with one of our experienced technical IT auditors, which provides our firm with the ability to discuss – in detail – the findings of our review with your internal IT personnel or 3rd party network services provider. In addition, we actively attempt to filter false positives or errors generated by our automated tools before providing you with a report – this practice contrasts with many other service providers, who have a tendency to force the workload of filtering all false positives onto your personnel.
What is the time frame for performance of a penetration test?
We can generally perform your penetration test within one to two weeks after we have a signed engagement letter. If your circumstances require an expedited test, please don’t hesitate to contact us as we can often create availability in our schedule for you.
How will we receive the findings from our penetration test?
We issue a formal report for all of our review services. This report will include an overview of the findings from our test (management report), as well as any recommendations regarding remediation. A copy of the full testing results will be included as an appendix to our report. We issue all of our reports in electronic format (PDF) via our proprietary secure website or via secure e-mail. Report turnaround time generally requires one to two weeks in order to process the report through our internal quality control function; however, expedited issuance of reports is available upon advance request. Please Contact Us if you would like to receive a sample external penetration testing report.
I have over 25 IP addresses to test – can Superior provide testing services for my organization?
Certainly. Please Request a Quote in order to receive a customized proposal specific to your environment and the volume of addresses you require to be tested. We regularly provide testing for organizations with more than 25 distinct IP addresses; however, we find that most organizations have less than 25 addresses that require testing, which is why we’ve set our pricing threshold at this level.
This advertisement represents an ‘invitation to treat’ and any acceptance of the advertised terms will not be considered a binding contract, which requires the written execution of an engagement letter with Superior Consulting, LLC. This engagement letter includes additional restrictions and limitations regarding the advertised service and must be executed before the commencement of these services. The terms stated above, as well as through any mailings, brochures, or electronic advertisements, may be amended, or this advertisement may be revoked or cancelled, at any time by Superior Consulting, LLC, with or without notice.
As advertised above, the stated service fee will cover the performance of external, off-site penetration testing services for up to 25 individual Internet Protocol (IP) addresses specified by the client. This testing will be conducted using automated tools of our choice and we will rely upon information provided to us by the client in the performance of this test. At the conclusion of our testing, we will issue a report to the client in electronic format via secure e-mail or our secure website.
The terms advertised above are only available to formally organized business or non-profit entities located in the United States. Entities located outside the United States should contact us for further information regarding these services.