Penetration Testing mailing list archives
RE: Wireless Audit Cost
From: Jimi Thompson <jimit () myrealbox com>
Date: Sun, 2 Nov 2003 01:04:21 -0600
You scenario has a couple of things that I think need clarification - 1) "complete analysis" - to me this means that a full audit of both the wired and wireless networks is taking place. This is also implied because you have discovered that the wired and wireless networks aren't segmented properly. 2) "large mobile sales force" - is this 300 or 3000? 3) what's the geography? country and/or location have a BIG impact on price (example, I get paid a LOT more in California or New York than I do in Las Vegas) and 4) as a general rule, your consultant is a different person and/or firm than your auditor (hence that whole thing about independent audits), so if you perform the audit, you likely wouldn't be developing their actual policy and conversely if you are the consultant who is developing the security policy, you probably should not be the one conducting the audit.
Other than getting the wireless AP's behind a VPN gateway, with the scenario that you've given us, I'd be more concerned about those laptops. I'd be wanting to pull in some of the laptops for a random audit of what kind of information is on them and how well they are being maintained, ESPEICALLY since they belong to your sales force. There's an estimate that 40-60% of all laptops that are stolen are stolen for the data and not the laptop. Depending on what's going on with the laptops and what's already in place, but I could easily see recommending something like Marimba or Altiris to handle patching and a VPN client that will not connect unless preestablished conditions are met (like having AV software with current updates).
I'd also be inclined to include remediation for the "critical issues" in the estimate. In this case, that would be a VPN device with a sufficient number of client licenses for all the wireless devices. It would also include the time and labor to re-segment the wireless network off the internal LAN. My thinking here is that if the company's IT staff had either a) sufficient time, b) sufficient know-how or c) sufficient clout to pull it off then it wouldn't be in that shape in the first place. Even if the customer decided to have the work done by a consultant or their own IT staff, they still know what it should cost and there is absolutely no way to "misunderstand" since the estimate will be line itemized showing precisely the equipment, software, etc.
HTH, Jimi At 6:16 PM -0500 10/31/03, lbrooks () cs fsu edu wrote:
Thank you for the input so far. It has been helpful. I had to go back and ask the prof for exactly what he was looking for. He is trying to get a feel for what would be a good ball park budget for a complete analysis from a private company to put in as a recommendation in the paper he is writing. (Someone in another post asked if I could post the study. Unfortunately, the paper is meant for publication so I cant. But should it get published I will be happy to pass along the name of the publication.) Here is the scenario that he and I came up with. The company is a medium sized company with three buildings and a large mobile sales force using wireless laptops. There are ten wireless points located on the internal LAN throughout the three buildings. The wired network has the usual security measures in place, i.e. firewall blocking incoming traffic but not outgoing, servers located in a DMZ (say an http server, mail server and dns all Win2K based), no IDS etc, all Cisco hardware. No security other than mac filtering on the wireless LAN. What we would be looking for is the estimated cost to do a full assessment of the vulnerabilities from the, admittedly completely insecure, wireless network to the main network and develop a wireless security plan for the organization. We understand that every network is different. We are just trying to get a ball park figure for what companies can expect when they go looking for this type of service. If that is not detailed enough please let me know and I will try to firm it up some more. Thank you, Louis Brooks Dept. of Computer Science Florida State University Quoting "Robert E. Lee" <robert () dyadsecurity com>:Your post looks like a RFQ (Request for Quote). :). The details you provided are too scarce to answer fully. Are you looking for costs of software, costs of training for your people... or costs to outsource a wireless security project to a third party? If it's the latter, there are many security companies (including mine) that would be willing to help you price out a project like this. This sort of pricing/scooping phase is a "standard cost of doing business" for us. Sincerely, Robert Robert E. Lee CTO 3400 Irvine Ave, Building 118 Newport Beach, Ca 92660 T (949) 486-6600 F (949) 486-6001 robert () dyadsecurity com > -----Original Message----- > From: lbrooks () cs fsu edu [mailto:lbrooks () cs fsu edu] > Sent: Friday, October 31, 2003 8:01 AM > To: pen-test () securityfocus com > Subject: Wireless Audit Cost > > Hello List Members: > > I work for the Security Group at Florida State University's Department of > Computer Science. We are putting together some documentation for a study > on > best practices in wireless security. One of the last bits of information > we > need to collect for the study is the monetary costs associated with > auditing a > wireless network. I was hoping that some of the members on this list would > be > willing to help us out with gathering the information. We are looking at > the > projected costs associated with auditing a wireless campus with 10 access > points for the study. If you have any information or can point me in the > right > direction to finding this information I would be most appreciative. > > Thank you, > > Louis Brooks > Dept. of Computer Science > Florida State University > > > > ------------------------------------------------------------------------ -- > - > Network with over 10,000 of the brightest minds in information security > at the largest, most highly-anticipated industry event of the year. > Don't miss RSA Conference 2004! Choose from over 200 class sessions and > see demos from more than 250 industry vendors. If your job touches > security, you need to be here. Learn more or register at > http://www.securityfocus.com/sponsor/RSA_pen-test_031023 > and use priority code SF4. > ------------------------------------------------------------------------ -- > ----------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_pen-test_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- RE: Wireless Audit Cost lbrooks (Nov 01)
- RE: Wireless Audit Cost Jimi Thompson (Nov 03)
- <Possible follow-ups>
- RE: Wireless Audit Cost Steve Goldsby (ICS) (Nov 03)