Re: Penetration Testing

["Michael J. Kenney" <m.kenney () USCIENCES EDU>]

We just switched from Tenable Perimeter Service to Qualys. They have a great educational discount, which cuts down the 
cost. Also, the reporting is 100% better because there is actual reporting.



Michael
--
Michael Kenney
Information Security Officer
IT Department
University of the Sciences
600 S. 43rd St. Philadelphia, PA 19104
215-596-7403 Office
m.kenney () usciences edu<mailto:m.kenney () usciences edu> | www.usciences.edu<http://www.usciences.edu/>

USciences:  Where healthcare and science converge






-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jamie A. 
Stapleton
Sent: Thursday, February 28, 2013 10:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Penetration Testing



$3,600/year works well if you have a lot of IPs.



For smaller scans, you might want to check out https://purecloud.ncircle.com/, which starts at $50/IP/year.



-----Original Message-----

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bradley, 
Stephen W. Mr.

Sent: Wednesday, December 19, 2012 10:39 AM

To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: Re: [SECURITY] Penetration Testing



If you just want a scan Tenable provides the Nessus scan from off-site for $3,600/year.  You configure it and run it 
when and on what you want.  From that information you can see what ports are open and a rough idea of what might be 
vulnerable.  Then you can dive deeper with other tools or farm it out.



Thx

Steve



-----Original Message-----

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () listserv educause edu] On Behalf Of Willis 
Marti

Sent: Wednesday, December 19, 2012 9:59 AM

To: SECURITY () listserv educause edu

Subject: Re: [SECURITY] Penetration Testing



Do you actually mean "penetration testing" or do you really want a vulnerability assessment? Or just an external 
vulnerability scan?

LOTS of folk will do a Nessus-like scan, possibly rating the vulnerabilities high/medium/low, but very few will go 
further and say "your security status is passing/failing".

I don't think "zero defects" is reasonable for higher ed; we're not a bank or military facility. Our job is to 
distribute information.

So what do you really want?



----- Original Message -----

>

> Does anyone have any recommendations for companies that do penetration

> testing? We are considering bringing in an outside company to do

> penetration testing on Lehigh's systems and network and would like

> someone with experience in the higher ed domain. Reply here or off-line if you prefer.



--

Willis Marti

Director and CISO

Networking and Information Security

Texas A&M University