Information security needs to be a critical component of all businesses. There are many ways to lock down your information security and there are also many ways to test how secure your organization actually is. A penetration test is one of those methods for testing the security posture of your organization.
What is a penetration test?
Penetration testing is a real-world examination of how secure your systems, infrastructure, and buildings are—by attempting to exploit (or gain access to) them. By having your security vulnerabilities exposed, you get a better understanding of where your security issues are and where improvements can and should be made.
But it’s not always advantageous to get a penetration test.
When Should I Get One?
Think of it this way. If you wanted to find out how effective the security system of your house was, you could hire someone to attempt to burglarize you and your home. That’s essentially what a pen test does.
If you don’t have a home security system in place yet though, the staged break-in would be too easy. It’s important that you do a home inspection and install your security controls before testing how they work.
The same is true with a penetration test. If you’ve never had a proper security assessment done on your organization and security practices (or if you don’t have security practices in place at all), finding out how vulnerable they are is both premature and a waste of your time and money.
What Should I Look For?
If you have had a security assessment done for your organization and are ready to schedule a penetration test, there are three things you should consider before selecting someone (or an organization) to conduct the security testing for you:
Is the tester just going to wing it or is there a process rooted in an industry standard? Lack of documented, repeatable methods are a sign that you’re working with an amateur.
Consider vetting which penetration testing tools they use. Ensure they are up-to-date on current hacking trends and known vulnerabilities and that they start their testing with any security weaknesses related to those.
Don’t settle for someone who’s only going to point out problems. Expect at a minimum an executive summary, a full report with “attack narrative” and appropriate, doable recommendations rooted in reality.
A Real Penetration Tester
Insist on talking to your pen tester and/or security team. It’s important to vet them about his or her background and experience. At FRSecure we do about 100 penetration tests per year, and our team has OSCP training as well as numerous competition awards (like Defcon CTF and Wild West Hacking Fest). If you’re going to have one of these tests done, find security professionals who have similar experience and accolades, so you know you’re not just getting some “script kiddie.”
What Does this Cost?
At FRSecure, we believe in telling the truth (it’s actually our number one core value as a company). After searching for the cost of a network penetration test on my favorite search engine, few people ACTUALLY attempted to answer the question. Most just said, “it depends.”
Well, buckle up, because
Let’s do this by size of organization.
External Network Penetration Test Pricing
External testing attacks network devices from the internet.
- $6,000 for a small business (fewer than 100 employees) with fewer than 5 active, public-facing IPs.
- $15,000-$20,000 for a medium-sized business (100-500 employees) with fewer than 25 active, public-facing IPs.
- $20,000-$30,000 for upper mid-market companies (1,000-3,000 employees) with 25-50 active, public facing IPs.
- $50,000+ for large companies (fortune 500-ish) with hundreds of active, public-facing IPs.
Internal Network Penetration Test Pricing
Internal testing attacks network infrastructure from inside your network.
- $10,000 for a small business (fewer than 100 employees) with <100 network devices.
- $10,000-$15,000 for a medium-sized business (100-500 employees) with <500 network devices.
- $25,000-$50,000 for upper mid-market companies (1,000-3,000 employees) with <3,000 network nodes.
- $75,000+ for large companies (fortune 500-ish) with thousands of network nodes.
If your penetration test is pursuant to PCI compliance, add ~25% to the cost. There’s just more paperwork and a level of tedium involved to get it right.
Of course, I’m obligated to say that every network is different and that you should get a customized quote. Get a few. Make sure they are apples-to-apples comparisons—and that they actually meet your network security objectives.
For more information on penetration testing, social engineering, vulnerability scans, other technical security services, and to find out how to schedule one for your organization, visit frsecure.com.