Friday, May 4, 2007

Pen testing

Hi Michael,

I was wondering if I could get a little pen testing advice. What were the primary factors in determining the cost for a penetration test? In general, what is a ball park range that is reasonable to charge for say, 5 external IPs/servers?


(name withheld)

Well, like everything, that will depend on several factors.

  • Is this an external attack only, or internal, external and wireless?
  • Is social engineering involved, will a physical penetration be attempted?
  • Will you be dumpster diving?

My guess from your question is that you are performing a remote network penetration test without social engineering.

The scope of work then depends on the level of adversary you are imitating:

  1. Motivated attacker, a user with inside knowledge or an attack by a professional seeking monetary gain
  2. Robot master, someone looking for bots to add to their army
  3. Opportunist, a script-kiddie or other non-professional attempting to crack systems because it's a rush

Level 3 is a little above what you can do with a flat Nessus scan. I'd certainly add a little MetaSploit work and some light web application inspection, looking for obvious input flaws.

Level 2 will run several well-known exploits and perhaps a 0day. You need to take a very careful look at the attack surface, validate all web applications for input checking (multiple encodings) and prevention of script or SQL injection.

Level 1 will do all of the above, plus deep research on the target and target employees, this level is beyond the capability of a small-business IT defense.

For a client with only five external IP, simulating either a level 2 or level 3 attack is your best bet.

You should be able to perform a Level 3 with automated tools and a little manual work involving the more interesting targets, three hours per IP address is probably a reasonable guess, but you won't actually spread your time that evenly.

Level 2 is tougher; a true attacker of this type hits you and moves on. However, since we can't predict the exact exploits that this attacker would use, a pen-tester has to perform a far more thorough review of the attack surface. This attack simulation will start at a few minutes per IP address, but you should expect to spend 5-10 hours (each) inspecting specific web application services and web server code for flaws. You will need to run exploit and possible denial-of-service attacks. Economically, you can’t bid this at more than 5-10 hours per IP address, but you could easily double that amount of time if you run into an interesting web application.

My estimates include, the time for testing, data gathering and report writing -- never under-estimate the time you will spend on the report. The report is the most lasting and visible product of your efforts.

Most small clients can bite-off a blend of these two attack scenarios. Cover all of the systems with an automated scan and a little manual follow-up, but spend a day or two taking a hard look at their primary web server and/or back-end.

No comments: