RE: Wireless Audit Cost

["Steve Goldsby (ICS)" <sgoldsby () networkarmor com>]

Without knowing the number of network nodes and number of mobile users,
this is just a wag, speaking for my company.

A Full blown NSA-IAM style risk assessment, including communications
security, physical security, network security, user security, policy gap
analysis, organizational review (including the security organization if
any), network security, vulnerability scan, architecture review, and
legislative overview as applicable to the organization (if applicable)
would be in the range of $50k-$100k.  

Most of this cost is justified (in the case of my company) by the depth
of the executive and technical summaries provided in the final
deliverable, as well as the amount of prior work brought to the table
and included in the deliverable, including recommendations for
remediation, etc.... e.g. by providing a lot of guidance on how to get
well without locking the client into the 'perpetual consultant
syndrome'.

Some companies that just provide a "this is what's wrong, give me more
money and I'll tell you how to fix it" report are often much less costly
(and much less valuable).

Hope this helps.

Steve Goldsby
www.networkarmor.com

 
-----Original Message-----
From: lbrooks () cs fsu edu [mailto:lbrooks () cs fsu edu] 
Sent: Friday, October 31, 2003 5:17 PM
To: pen-test () securityfocus com
Subject: RE: Wireless Audit Cost


Thank you for the input so far. It has been helpful. 

I had to go back and ask the prof for exactly what he was looking for.
He is 
trying to get a feel for what would be a good ball park budget for a
complete 
analysis from a private company to put in as a recommendation in the
paper he 
is writing. (Someone in another post asked if I could post the study. 
Unfortunately, the paper is meant for publication so I cant. But should
it get 
published I will be happy to pass along the name of the publication.) 

Here is the scenario that he and I came up with. The company is a medium
sized 
company with three buildings and a large mobile sales force using
wireless 
laptops. There are ten wireless points located on the internal LAN
throughout 
the three buildings. The wired 
network has the usual security measures in place, i.e. firewall blocking

incoming traffic but not outgoing, servers located in a DMZ (say an http

server, mail server and dns all Win2K based), no IDS etc, all Cisco
hardware. 
No security other than mac filtering on the wireless LAN. What we would
be 
looking for is the estimated cost to do a full assessment of the 
vulnerabilities from the, admittedly completely insecure, wireless
network to 
the main network and develop a wireless security plan for the
organization. 

We understand that every network is different. We are just trying to get
a 
ball 
park figure for what companies can expect when they go looking for this
type 
of service. If that is not detailed enough please let me know and I will
try 
to firm it up some more. 

Thank you,

Louis Brooks
Dept. of Computer Science
Florida State University


Quoting "Robert E. Lee" <robert () dyadsecurity com>:

> Your post looks like a RFQ (Request for Quote). :).  The details you
> provided are too scarce to answer fully.  Are you looking for costs of
> software, costs of training for your people... or costs to outsource a
> wireless security project to a third party?
>
> If it's the latter, there are many security companies (including mine)
> that would be willing to help you price out a project like this.  This
> sort of pricing/scooping phase is a "standard cost of doing business"
> for us.
>
> Sincerely,
>
> Robert
>
> Robert E. Lee
> CTO
>
> 3400 Irvine Ave, Building 118
> Newport Beach, Ca 92660
> T (949) 486-6600
> F (949) 486-6001
> robert () dyadsecurity com
>
> > -----Original Message-----
> > From: lbrooks () cs fsu edu [mailto:lbrooks () cs fsu edu]
> > Sent: Friday, October 31, 2003 8:01 AM
> > To: pen-test () securityfocus com
> > Subject: Wireless Audit Cost
> >
> > Hello List Members:
> >
> > I work for the Security Group at Florida State University's
Department
> of
> > Computer Science. We are putting together some documentation for a
> study
> > on
> > best practices in wireless security. One of the last bits of
> information
> > we
> > need to collect for the study is the monetary costs associated with
> > auditing a
> > wireless network. I was hoping that some of the members on this list
> would
> > be
> > willing to help us out with gathering the information. We are
looking
> at
> > the
> > projected costs associated with auditing a wireless campus with 10
> access
> > points for the study. If you have any information or can point me in
> the
> > right
> > direction to finding this information I would be most appreciative.
> >
> > Thank you,
> >
> > Louis Brooks
> > Dept. of Computer Science
> > Florida State University
------------------------------------------------------------------------
> --
> > -
> > Network with over 10,000 of the brightest minds in information
> security
> > at the largest, most highly-anticipated industry event of the year.
> > Don't miss RSA Conference 2004! Choose from over 200 class sessions
> and
> > see demos from more than 250 industry vendors. If your job touches
> > security, you need to be here. Learn more or register at
> > http://www.securityfocus.com/sponsor/RSA_pen-test_031023
> > and use priority code SF4.
------------------------------------------------------------------------
> --
> > --



------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------