.

Security Assessment Inquiry

<<

bks1

Newbie
Newbie

Posts: 5

Joined: Sat Jan 15, 2011 7:27 pm

Post Sat Jan 15, 2011 7:33 pm

Security Assessment Inquiry

Hi,

Iam new to all of this.  I work for a company that deals with a web hosted system that houses important medical record information.  We are looking to test the vulnerabilities of our system as it is fairly new.  How would we plan for this?  Not too sure where to start. Your input is greatly appreciated. 
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Jan 15, 2011 10:50 pm

Re: Security Assessment Inquiry

While probably not the answer you're looking for, find an outside company to do it. You're too close to the systems that you'll either ignore some things you see, or think it's not an issue. By having an outside 3rd party doing to the assessment, you get a semi-impartial view of the systems.

I say semi-impartial, because there are groups out there that will do the scans and then try to sell you their support or service to help you fix the problems.

However, that's not to say you shouldn't get the skills yourself. Don't practice on your production systems, even if your test lab is a desktop that can run virtual software, and look in to Nessus and other vulnerability scanners.
OSWP, Sec+
<<

bks1

Newbie
Newbie

Posts: 5

Joined: Sat Jan 15, 2011 7:27 pm

Post Sun Jan 16, 2011 9:00 am

Re: Security Assessment Inquiry

Thanks Chris.  We are open to hiring a 3rd party.  However, we are also interested in softwares too.  Just trying to get a feel as to which direction is best.  The system has recently gone live so we are also looking at this as a ongoing security maintenance type thing...if that makes any sense.
<<

bks1

Newbie
Newbie

Posts: 5

Joined: Sat Jan 15, 2011 7:27 pm

Post Sun Jan 16, 2011 9:01 am

Re: Security Assessment Inquiry

Also, what are the price ranges and timelines for something like this...ballpark if you would...if anyone has any ideas. 
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Sun Jan 16, 2011 9:27 am

Re: Security Assessment Inquiry

bks1 wrote:We are open to hiring a 3rd party.  However, we are also interested in softwares too.  Just trying to get a feel as to which direction is best. 


A 3rd party test will only give you information current for that point in time that their test was done. It's very useful for initial remediation efforts but you will want some kind of ongoing scheduled scanning/testing solution in place. Whether a 3rd party MSSP provides this service or you do it internally is a business decision you have to make, but you should have some kind of ongoing vulnerability assessment process in place. I know you mentioned something along those lines so you are thinking in the right direction. The biggest challenge is vetting the capabilities of the 3rd party you use for your test. There are a lot of charlatans out there that will sell you a pen test when they are really just doing a vuln scan.

In my environment, I budget about 30k a year for external 3rd party pentests focused on my PCI environment, and spend about 25k (my salary hours focused on these activities + training costs + software expense) on in house conducted pen testing and then another 50k or so on software licensing and 5k or so on salary related expenses for ongoing vulnerability scanning but this scope includes my entire environment, not just a single app so YMMV. It really depends on your scope and complexity as to cost so we could give you a wide range of numbers that may be meaningless for you. You could also buy cheaper software than me, but I really like what I'm currently using and don't want (or plan) to give it up.

(Total cost for me = 110k)

Btw none of these numbers above include actual remediation. There's another group that handles that. I'm not even an admin on the systems I'm testing (by design - but my tools do have appropriate permissions for credentialled scanning) This is just assessment, and documentation of remediation plans and communication to management of the extended business risk from the discovered and verified vulnerabilities so they can make informed decisions and prioritize remediation tasks.

Hope that helps.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

bks1

Newbie
Newbie

Posts: 5

Joined: Sat Jan 15, 2011 7:27 pm

Post Sun Jan 16, 2011 12:18 pm

Re: Security Assessment Inquiry

Price range for remediation group?  What is a sensible timeframe for a service as such? 
<<

bks1

Newbie
Newbie

Posts: 5

Joined: Sat Jan 15, 2011 7:27 pm

Post Sun Jan 16, 2011 4:05 pm

Re: Security Assessment Inquiry

Also, these are the things that are of concern to us in regards to our system and the information
that resides on it.  Data scraping, Peer to peer file sharing, Secure email, Medical identity theft,
strength of data encryption, Security of downloaded reports, New developments in identity
verification, Wireless security as we think through our mobile strategy.
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Tue Jan 18, 2011 4:28 pm

Re: Security Assessment Inquiry

bks1 wrote:The system has recently gone live so we are also looking at this as a ongoing security maintenance type thing...if that makes any sense.


As part of your lesson's learned, your vulnerability analysis and potential remediation steps should probably have been done prior to this step of going live.  If it is publicly live, I am sure lots of people have already performed the test for you ;).
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

DrivinTin

User avatar

Jr. Member
Jr. Member

Posts: 51

Joined: Sat Feb 28, 2009 8:01 pm

Location: Houston, TX

Post Tue Jan 18, 2011 4:53 pm

Re: Security Assessment Inquiry

hell_razor wrote:  If it is publicly live, I am sure lots of people have already performed the test for you ;).


Haha, that is a great quote, and sadly very VERY true.
Currently working on:
A UAV Project
Speaking and conferences

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software