Feb 16, 2015

How to conduct cost effective pen testing in a SMB?

I’m sure this isn’t an issue with companies that have dozens of IT staff, but how can a small business conduct penetration testing in a cost effective, meaningful way?
05/29/2015
Cost effective and Penetration Testing do not go hand in hand if the vulnerability scans and Penetration Testing are done correctly. There are too many company's out there today that will come in and run a program and give you a print out of your vulnerabilities and tell you to plug them up. If you are lucky, they may find 30% of your vulnerabilities. Unfortunately, the old saying, "you get what you pay for" is very true, sometimes. I can tell you as an employee for a top ranked cyber security company (MainNerve) we employ former NSA hackers and Top Secret Cleared former Special Operations Black Hat professionals. We have decided to market ourselves to the SMB's at a portion of the costs the big box company's are offering other businesses. We offer the cheapest "REAL" Vulnerability Scans and Penetration testing on the market. Our Pen Testers use "Eyes on Glass" method while testing. Meaning as a vulnerability is discovered, they will exploit that vulnerability on the spot and not let the paying customer deal with it later. Not only will you get a fully detailed outline of your network and what was discovered, our Pen Tester will sit one on one and explain what they have identified and give you realistic means of securing your network. By the way Metasploit is an awesome tool, if you know how to use it. We have engineered this tool to run very effective checks for all of our customers. Look us up on our website, you will not be disappointed: http://www.mainnerve.com

Reese Ferguson
GM, MainNerve
02/17/2015
Pwn Plug is a tool you can use for network penetration testing. Ars did an article about it a couple of years ago. http://arstechnica.com/business/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/

The cheapest Pwn Plug option is $295, so you have to weigh whether that is cost effective for your business. https://www.pwnieexpress.com/
02/17/2015
This article may of use to you:

The Top 5 Free Penetration Testing Tools
http://www.brighthub.com/computing/smb-security/articles/34710.aspx

"The Top Five

Metasploit - Metasploit is an open source platform for developing and testing exploits. It's available for both Unix and Windows systems. This is a far more advanced tool than the others on this list, and requires more programming knowlege to run and use.

Nessus -Tenable Network Security offers Nessus as a free scanner for non-commercial use, with a subscription license required for commercial organizations.

Nikto - Nikto is an Open Source web server security scanning tool. Currently at version 2.03, can scan for over 3500 potential vulnerabilities, with the option for custom scans by classes of vulnerability.

Nmap - Nmap is my Swiss Army Knife for network scanning, port mapping, and OS & application discovery.

Wireshark - Wireshark is my replacement for Ethereal when sniffing and capturing network traffic and examining protocols and sessions in depth."
Answer this