Re: [PEN-TEST] Cost of Penetration Testing

[H Carvey <keydet89 () YAHOO COM>]

Rather than asking for more information, I'd like to 
suggest that you take a different approach to what 
you're doing....

First of all, what policies do you have available?  Any 
overall corporate vision or guidance regarding 
information security or the protection of information 
assets?  A good information security plan relies on 
the foundation provided by policies.

What procedures, processes, and standards do you 
have in place?  Do you have configuration standards 
for servers?  How about a documented process for 
rolling out changes to either the servers, or the web 
content?

What monitoring do you currently have in place?  
What logs are being kept, and what's being done with 
them?  

I would suggest to you that perhaps an internal, 
cooperative vulnerability assessment is more in 
order.  Such an activity will reveal much more 
information than a penetration test...b/c not only will 
the assessment (or audit, depending upon your 
terminology) review the current configuration of all 
network devices...routers, switches, firewalls, web 
servers, operating systems...but should also include 
a look at your policies and procedures.  

The only real purpose of a penetration test is to test 
your incident response capability.  If you're looking for 
some sort of verification of your "hackerproofness", 
don't go with a penetration test...very few companies 
do them right.  What you'll get is a determination of 
how resistant you are to script kiddies, followed by 
the recommendation that you get an internal 
vulnerability audit.

Carv