Re: Penetration Testing

["Jamie A. Stapleton" <jstapleton () COMPUTER-BUSINESS COM>]

$3,600/year works well if you have a lot of IPs.

For smaller scans, you might want to check out https://purecloud.ncircle.com/, which starts at $50/IP/year.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bradley, 
Stephen W. Mr.
Sent: Wednesday, December 19, 2012 10:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Penetration Testing

If you just want a scan Tenable provides the Nessus scan from off-site for $3,600/year.  You configure it and run it 
when and on what you want.  From that information you can see what ports are open and a rough idea of what might be 
vulnerable.  Then you can dive deeper with other tools or farm it out.

Thx
Steve

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () listserv educause edu] On Behalf Of Willis 
Marti
Sent: Wednesday, December 19, 2012 9:59 AM
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Penetration Testing

Do you actually mean "penetration testing" or do you really want a vulnerability assessment? Or just an external 
vulnerability scan?
LOTS of folk will do a Nessus-like scan, possibly rating the vulnerabilities high/medium/low, but very few will go 
further and say "your security status is passing/failing".
 I don't think "zero defects" is reasonable for higher ed; we're not a bank or military facility. Our job is to 
distribute information.
So what do you really want?

----- Original Message -----
> Does anyone have any recommendations for companies that do penetration 
> testing? We are considering bringing in an outside company to do 
> penetration testing on Lehigh's systems and network and would like 
> someone with experience in the higher ed domain. Reply here or off-line if you prefer.

--
Willis Marti
Director and CISO
Networking and Information Security
Texas A&M University