RE: Sizing Pentest

[stephen () fishnetsecurity com]

I am a consultant and I bid all my projects as a single flat fee.  To do
this, I need to estimate my costs up front.  I ask the client for three
things:

1. Number and size of externally-accessible networks targeted
2. Number of externally-accessible servers hosted
3. Description of system(s) being hosted

To then estimate the cost of the pen test, I use this method:
{
[(# of servers) * (scan per server)] +
[(# of 3rd party servers) * (scan per server)] +
[(# of networks) * (scan per network)] +
[(# of proximal routers) * (scan per router)] +
[(# of systems) * (exploitation per system)] 
} * (reporting factor) = TOTAL PEN TEST LABOR

Where:
(# of servers) = # of IP Addresses of client's own servers
(# of 3rd party servers) = # of externally-hosted web servers
(scan per server) = approx 5-10 min. of port and vulnerability scan
(# of networks) = # of class C networks to map
(scan per network) = 10-15 min. of ping sweep & traceroute mapping
(# of proximal routers) = # of routers hosted by client, or 1 hop away from
ISP gateway
(scan per router) = 2-4 min. of SNMP sweep, default password check, telnet
banner check, etc.
(# of systems) = # of major systems (email, ftp, http, E-commerce, etc.)
hosted 
(exploitation per system) = 1-2 hrs. of attempted exploitation
(reporting factor) = 300% or 2 hours of reporting for 1 hour of data
collection

I then multiply my labor estimate by $185 per hour (my billing rate) and
then add cost of maintaining equipment and software,
printing/binding/shipping reports, and any travel expenses for in-house
presentation of my findings.

Of course you will need to fine tune this to your Scope of Work, billing
rate, and complexity of scanning & reporting, but I think that this is a
good framework.




Sincerely,

Stephen C. Thompson,
Piranha Team Network Security Engineer
Fishnet Security
1710 Walnut
Kansas City, MO 64108
Tel:    816-421-6611
Fax:    816-421-6677
Cell:   816-522-6369
<http://www.fishnetsecurity.com> 

*       2000 & 2001 Top 10 Kansas City Small Business
*       2000 Deloitte & Touche Fast 50 Rising Stars
*       2000 & 1999 Check Point Fastest Central Region Revenue Growth Award
*       2000 & 1999 CRN Top 25 Computer Executives
*       1998 Check Point Excellence Award Winners

"Some Companies have Network Security Divisions,
 FishNet is a Network Security integrator.
 Who should you trust with your Network Security?"

_______________________________________________________________________

The information transmitted in this e-mail is intended only for the
addressee and may contain confidential and/or privileged material.  Any
interception, review, retransmission, dissemination, or other use of, or
taking of any action upon this information by persons or entities other than
the intended recipient is prohibited by law and may subject them to criminal
or civil liability. If you received this communication in error, please
contact us immediately at 816.421.6611, and delete the communication from
any computer or network system.
_______________________________________________________________________



-----Original Message-----
From: Leonardo Loro [mailto:leoloro () microsoft com]
Sent: Thursday, June 28, 2001 12:49 AM
To: Penetration Testing (E-mail)
Subject: Sizing Pentest


Hi all,

Which keypoints should be taken in account when sizing a pen test (for a
financial institution that wants to check the vulnerabilities of their
intranet systems vulnerability).  Should it be charged x hour? X server?
X Deliverables? 

Basically, they have 10 Sun 450e and 10 W2k servers on their intranet,
and a PIX in to work as a FW in front of them.

Thx,

Leo


----------------------------------------------------------------------------
----------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service
For more information on SecurityFocus' SIA service which automatically
alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/

--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/