Competing for network-based security assessments

tate@ClearNetSec.com (Tate Hansen) — Tue, 19 Sep 2006 15:21:00 -0600

When competing for security assessment projects it is often painful for the customer to distinguish the level of service or effort between proposals. We used to respond to RFPs with the intention of satisfying all the services the customer is soliciting – of course in the end in nearly every case that isn’t what wins the bid.

We came up with a quick flow diagram to illustrate the differences in the level of effort between network-based security assessments. This has helped us tremendously with clients and with keeping the playing field level. It’s not complete or exact by any means, but it works.

We add some verbiage to help customers relate it to real world:

Sample attacker profile:
Basic: Attacker spending minimal effort; downloading free 'hacking' tools and running them with minimal attention
Intermediate: A motivated attacker spending more time and resources with greater attention to detail and actively searching for a weakness
Advanced: A serious attacker with intent to harm or steal information assests

Security assurance profile:
Basic: Minimal; relies on a limited set of tools to discover weaknesses
Intermediate: Good; relies on running many tools with overlapping functions, specialty tools, tuned for bandwidth and latency conditions, and includes manual investigation, validation, and research into findings
Advanced: Excellent; goes beyond Intermediate to prove the existence of vulnerabilities, includes checking non-public domains for the existence of 0-day exploits

ClearNet Security: Tag penetration test

Competing for network-based security assessments