$1,495 Internal Vulnerability Assessment

This service is an off-site, non-exploitative test of up to 256 individual internal Internet Protocol (IP) addresses or nodes owned or controlled by your organization. To perform this service, you must designate the IP addresses you wish to be tested, and we will perform testing using our toolkit of automated testing solutions.

The IT security industry has not yet developed consistent or standardized terms for describing the specific characteristics of penetration tests or vulnerability assessments. In many settings, the terms ‘penetration test’ and ‘vulnerability assessment’ may be used interchangeably, while in other settings a ‘penetration test’ may refer to more in-depth testing that seeks to actively exploit detected vulnerabilities in order to compromise (or demonstrate the ability to compromise) specific systems or assets. When we describe our testing as non-exploitative, we are referring to the fact that we will report on detected vulnerabilities or weaknesses but we will not attempt to actively exploit these findings. Within the context of this service, the terms penetration test and external vulnerability assessment are generally synonymous while internal vulnerability assessment refers to testing focused on devices ‘behind’ the firewall or logically located so that they are not directly Internet-facing and is similarly non-exploitative in nature.

Our toolkit is constantly reviewed to ensure we are able to meet the challenges presented by a continuously evolving security environment. Representative tools we have used include Nessus, Nexpose, Metasploit, & Retina. The tool(s) selected for your engagement may vary based on our perception of the appropriate tool necessary to properly assess your environment. As a rule, we only utilize subscription-based tools in order to ensure we are using tools with updated definition files to facilitate testing for recently emerged exploits or vulnerabilities.

We will work with your administrative personnel to determine the most effective manner in which to perform the internal vulnerability assessment. Generally, your test can be performed through allowing Superior a temporary Virtual Private Network (VPN) connection into your internal network. We will require domain-level administrative credentials in order to perform the test and we will require you to setup a dedicated account for this purpose, which we also encourage you to disable immediately after conclusion of testing. Testing is commonly performed through use of a dedicated Virtual Machine (VM), which will be the only device that fully authenticates to your network. We do not re-use VMs for testing and each test will be conducted using a ‘new’ VM instance created from a clean template optimized for this task. We strongly recommend our clients enable any necessary logging and adopt practices to ensure our administrative and VPN accounts are terminated or disabled after the completion of our testing. If you cannot deploy a VM in your network environment, we may be able to offer alternatives, but please Contact Us to discuss this issue.

We’re a professional service firm that was founded in 2003 and has worked extensively in the banking industry in the midwestern United States. We value our reputation for competence and honesty and we’ll do everything in our power to deliver on our commitments to you. As an experience banking consultant, our CEO understands the obligations we have to our clients and that our reputation is our most valuable currency.

One of the characteristics that set us apart from the competition is the manner in which we structure our IT audit teams. Many firms utilize individuals with a traditional audit background to perform testing services. Although these individuals may possess credentials such as the CISA or CEH, many do not have practical work experience as a network administrator, which diminishes their ability to understand the mechanics or results of a penetration test since they haven’t worked directly with the technologies or systems being audited. Instead of this approach, we have been fortunate to maintain blended teams that include personnel with experience in the administration of complex network environments and personnel with more traditional IT audit experience, as they generally have a better knowledge of internal control systems and audit practices. In practical terms, this approach yields more in-depth, technical IT assessments while ensuring that we fulfill all necessary audit functions and provide a comprehensive evaluation of your environment.

For our vulnerability assessment services, you will work with one of our experienced technical IT auditors, which provides our firm with the ability to discuss – in detail – the findings of our review with your internal IT personnel or 3rd party network services providers or vendors. We actively attempt to filter false positives or errors generated by our automated tools before providing you with a report and our auditors are available to discuss your findings in detail after the conclusion of our testing.

Your test will be performed by direct employees of Superior Consulting, LLC. At present, all of our employees are based in the United States, subject to extensive criminal and civil background checks, and have confidentiality agreements with our firm. We will not utilize 3rd party contractors to perform any of our testing without providing prior notice to you and, unless otherwise stated, all testing will be performed by our direct employees. We do not outsource any testing or assurance activities outside of the United States.

Absolutely. We frequently performing testing services on systems hosted by Amazon Web Services, Microsoft Azure, and other cloud providers. Please note: these providers commonly require YOU to request and obtain permission from them prior to the start of any testing. It is your responsibility to obtain this permission and provide documentation to this effect to our personnel prior to the commencement of any testing.

Performance of testing requires an executed engagement letter between Superior and your company. Once we have the appropriate contracts in place, testing can ordinarily be scheduled to commence within the next 72 – 96 hours; however, expedited testing may be available upon request. This assessment is dependent on your deployment of a VM or other device to perform this testing and, as a result, may require the cooperation of additional parties (e.g. managed service provider), which can place the timeline for testing, in part, outside our direct control.

Our $1,495 service fee provides for the performance of a single test at a time of your choosing. We also offer more frequent testing intervals, which may or may not be further discounted depending on size and frequency. Many organizations perform testing on a predefined schedule, such as monthly, quarterly, or semi-annually. As a best practice, we strongly encourage all organizations to perform an internal vulnerability assessment at least annually or after any major changes in patching practices or solutions. An internal vulnerability assessment is one of the most effective means of validating that patch management practices are effective and that managed service providers, if utilized, are fulfilling contractual obligations. Periodic vulnerability assessments are also an excellent mechanism for demonstrating the effectiveness of your overall monitoring program to regulatory authorities, key customers and vendors, and other stakeholders.

As with our $995 Penetration Test service, this is one of the easiest questions we receive – the answer remains simple: value and transparency. We decided to develop a competitive, value-based, fixed priced offering based on the needs of our clients. We believe our fixed $1,495 pricing represents a clear and equitable price for this service and when we say fixed, we mean it! As stated above and below, the $1,495 test covers 256 internal IP addresses or nodes and includes a formal report written by our personnel (not just a canned automated report). This price does not cover re-testing, more than 256 IP addresses, multiple testing reports, or services rendered outside the normal course of the engagement (e.g. depositions, regulatory responses, extensive post-engagement consultation). We’re happy to offer those services as well, but in order to deliver on our fixed $1,495 price, those are necessarily outside of the scope of our engagement.

Unfortunately, we can’t control what other firms charge, but we can control our own prices and quality of work. Superior Consulting has been working with financial institutions throughout the Midwest since 2003. During that time, we have developed an excellent reputation as one of the leading providers of consulting services to banks and data centers in this region. We can certainly provide a list of bank or other industry references to you upon request. Our audit personnel are consummate professionals and have over 80 years of combined experience in the banking and IT industries.

We issue a formal report for all of our review services. This report will include an overview of the findings from our test (management report), as well as any recommendations regarding remediation. A copy of the full automated testing results will be included as an appendix to our report. To reiterate the above, the management report is written directly by our personnel and the results of any scanning are added as an addendum, with our goal being that the final deliverable from our engagement will be polished and understandable.

We issue all of our reports in electronic format (PDF) via our proprietary secure website or via secure e-mail. Report turnaround time generally requires one to two weeks in order to process the report through our internal quality control function; however, expedited issuance of reports is available upon advance request.

Absolutely, please Contact Us if you would like to obtain a sample internal vulnerability assessment report.

Certainly. Please Contact Us in order to receive a customized proposal specific to your environment and the volume of addresses you require to be tested. We commonly provide testing for organizations with more than 256 distinct internal IP addresses; however, we found this sizing to be a reasonable means of pricing this service while still accommodating small organizations with less than 256 internal IPs or nodes.

Sure. As a rule, our testing is pricing works on a block basis, so each additional block of up to 256 IP addresses will result in an additional $1,495; however, we occasionally offer discounts in order to ensure our pricing is equitable. Please Contact Us to discuss the specifics of your situation.

Re-testing is not included in the $1,495 price. Our goal with the $1,495 price is to deliver a fair value to all our clients regardless of whether or not a given client requires re-testing services. In consequence, our service offering is not padded with additional time or margins that may or may not be justified depending on your decision to request re-testing. If re-testing is required, we do offer this service at a reasonable additional fixed fee of $1095 for a single re-test including the issuance of another formal report OR a discounted fee of $695 for a re-test without an additional formal report.

Yes, we are able to issue additional formal reports that separate the results of our testing, but an additional cost may be incurred. As stated above, our $1,495 pricing is a fixed price for delivery of a very inclusive yet specific service offering. We don’t pad our pricing to cover deviations from the norm, so changes of this nature may result in an additional charge. We always commit to keep any additional costs fair and commensurate to the cost of the underlying engagement.