penetration_testing

At Clarium, we understand the challenges of today’s adverse economic environment. In every organization, management is faced with tradeoffs and decisions to preserve institutional profitability, but validating the security of your IT systems should not fall victim to the times! This premise was the genesis of our value-priced penetration testing service.

Clarium Managed Services has been engaged in the performance of IT review and testing services for the manufacturing industry since 2003. Our experienced personnel have worked with over 100 entities throughout the Midwest in the evaluation of their managed sourcing, network security, and internal control systems. Beginning in 2009, we began offering our IT security testing services to other industries, including the healthcare, construction, education, and manufacturing sectors. In the course of our experience in these industries, we’ve seen a wide array of different prices and descriptions of “penetration testing services”, ranging from the use of simple automated tools to generate a canned printout to in-depth, exploitative penetration testing spanning multiple days or weeks. We’ve also seen drastically varying prices from a litany of different providers, including network service providers, accounting firms, specialized security firms, and basic sole proprietors.

In order to clarify any questions you may have regarding this service, we have provided a series of common questions below. Also, please be sure to read the Terms & Conditions of this advertisement for further information.

COMMON QUESTIONS

What does the penetration test cover and how will it be performed?

This service is an off-site, non-exploitative test of up to 25 individual Internet Protocol (IP) addresses owned or controlled by your organization. To perform this service, you must designate the IP addresses you wish to be tested, and we will perform testing using our toolkit of automated testing solutions.

What is a non-exploitative test?

The IT security industry has not yet developed consistent or standardized terms for describing the specific characteristics of penetration tests or vulnerability assessments. In many settings, the terms ‘penetration test’ and ‘external vulnerability assessment’ may be used interchangeably, while in other settings a ‘penetration test’ may refer to more in-depth testing that seeks to actively exploit detected vulnerabilities in order to compromise (or demonstrate the ability to compromise) specific systems or assets. When we describe our testing as non-exploitative, we are referring to the fact that we will report on detected vulnerabilities or weaknesses but we will not attempt to actively exploit these findings. Within the context of this service, the terms penetration test and external vulnerability assessment are generally synonymous.

What tools will you use to perform the test?

Our toolkit is constantly reviewed to ensure we are able to meet the challenges presented by a continuously evolving security environment. Representative tools we have used include Metasploit, Nessus, & Retina. The tool(s) selected for your engagement may vary based on our perception of the appropriate tool necessary to properly assess your environment. As a rule, we only utilize subscription-based tools in order to ensure we are using tools with updated definition files to facilitate testing for recently emerged exploits or vulnerabilities.

How frequently will the test be performed?

Our service fee provides for the performance of a single test at a time of your choosing. We also offer more frequent testing intervals for the same discounted price per occurrence. Many institutions perform testing on a predefined schedule, such as monthly, quarterly, or semi-annually. As a best practice, we strongly encourage all organizations to perform a penetration test after any changes to your firewall configurations or installation of new, externally-facing hardware. An external penetration test is the only way to effectively validate that these changes did not result in the creation of new vulnerabilities. Periodic penetration testing is also an excellent mechanism for demonstrating the effectiveness of your overall monitoring program to regulatory authorities.

Who will perform our test? Do you utilize 3rd party contractors or outsourcing for this service?

Your test will be performed by direct employees of Clarium Managed Services, LLC. At present, all of our employees are based in the United States, subject to extensive criminal and civil background checks, and have confidentiality agreements with our firm. We will not utilize 3rd party contractors to perform any of our testing without providing prior notice to you and, unless otherwise stated, all testing will be performed by our direct employees. We do not outsource any testing or assurance activities outside of the United States.

What is the time frame for performance of a penetration test?

We can generally perform your penetration test within one to two weeks after we have a signed engagement letter. If your circumstances require an expedited test, please don’t hesitate to contact us as we can often create availability in our schedule for you.

How will we receive the findings from our penetration test?

We issue a formal report for all of our review services. This report will include an overview of the findings from our test (management report), as well as any recommendations regarding remediation. A copy of the full testing results will be included as an appendix to our report. We issue all of our reports in electronic format (PDF) via our proprietary secure website or via secure e-mail. Report turnaround time generally requires one to two weeks in order to process the report through our internal quality control function; however, expedited issuance of reports is available upon advance request. Please Contact Us if you would like to receive a sample external penetration testing report.

I have over 25 IP addresses to test – can Clarium provide testing services for my organization?

Certainly. Please Request a Quote in order to receive a customized proposal specific to your environment and the volume of addresses you require to be tested. We regularly provide testing for organizations with more than 25 distinct IP addresses; however, we find that most organizations have less than 25 addresses that require testing, which is why we’ve set our pricing threshold at this level.

TERMS & CONDITIONS

This advertisement represents an ‘invitation to treat’ and any acceptance of the advertised terms will not be considered a binding contract, which requires the written execution of an engagement letter with Clarium Managed Services , LLC. This engagement letter includes additional restrictions and limitations regarding the advertised service and must be executed before the commencement of these services. The terms stated above, as well as through any mailings, brochures, or electronic advertisements, may be amended, or this advertisement may be revoked or cancelled, at any time by Clarium Managed Services, LLC, with or without notice.

As advertised above, the stated service fee will cover the performance of external, off-site penetration testing services for up to 25 individual Internet Protocol (IP) addresses specified by the client. This testing will be conducted using automated tools of our choice and we will rely upon information provided to us by the client in the performance of this test. At the conclusion of our testing, we will issue a report to the client in electronic format via secure e-mail or our secure website.

The terms advertised above are only available to formally organized business or non-profit entities located in the United States. Entities located outside the United States should contact us for further information regarding these services.

SecS-red-icon

CONTACT FORM