Solved

How much for charge for network security audit? (Penetration Testing)

Posted on 2006-11-28
7
1,424 Views
Last Modified: 2013-11-16
Hello,

This might sound unprofessional, but I was wondering if anyone knew what an ideal hourly rate would be for internal and external network security auditing?  I want to start marketing myself as a network security auditor for small/medium businesses in my state.  I am a Certified Ethical Hacker and Security+ certified.  I have about 4 years of network administration experience under my belt and honestly only about 1.5 years of hardcore IT security experience.  This is only a part time job while I finish college... I'll be active duty in the Air Force when I graduate next year.

Based on the size of the client's network, I plan to have my audits take from 10 to 40 hours of working time, average probably being around 20.

Thank you for your help!


P.S. My best guess for a rate right now is $120/hr.  Reasonable? Too high/low?   Thanks!
0
Comment
Question by:wildblue7272
7 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 18034097
I charge a flat fee, and start from the outside to the in. If I get in the network from the outside with no more than the IP address space or website name, I go to an hourly rate. If they simply want to know if they have unpatched boxes, unsecured records, unsecured wifi, and or easily guessed passwords I charge an hourly rate of $115(US) with a minimum 2 hour charge. If they want me to social engineer, physically enter, or test other security measures I use a flat fee again. Code review and remediation of code is a fee I sort of make up on the spot, depending on the size and scope of they flaws. Typically I provide more guidance than actual code corrections written myself.

There are also considerations for the size and scope of the pen audit that pertain to the pricing. Clients know they need a 3rd party audit or have been asked to get one, but they don't know what that might entail. There are several regulations and acts that recently have sprung up as hot items, such as SOX and HIPAA compliance and conformance.
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
http://en.wikipedia.org/wiki/HIPAA
There are also things you may note in your audit that the client doesn't know any better about, such as privacy laws that vary greatly from state to state, there are many corporations and small business' that violate state laws without knowing the variances. So if you notice that everyone's SSN is posted to a very public place, such as a company IntraNet or some HR spread-sheet that is unprotected, check local laws and make the client aware of compliance or neglect, that's just an example.
-rich
0
 

Author Comment

by:wildblue7272
ID: 18034141
Thanks, rich... and congrats on being #1 in Security on EE.

Forgive me, but I'm going to wait and see if I get any more answers before I accept.

Thanks again!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18034529
No problem, and thanks. I can wait for the points ;-)
-rich
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 79

Expert Comment

by:lrmoore
ID: 18035980
Would either of you care to comment in this thread:
http://www.experts-exchange.com/Networking/Q_22076088.html

Thanks!
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 18038151
there are two things you have to think about, first of all the scope of the job (and the asociated tasks to them) and then the kind of client you are offering your services. and you have to think too in the deepness of the analisys too, the deeper the more expensive.
0
 

Author Comment

by:wildblue7272
ID: 18039244
mahe2000:
Instead of taking that approach - or the flat fee approach - I believe it will be more effective to have a set hourly rate.  Therefore the desired scope and deepness of the job will automatically price itself since either factor will directly effect working time.

Thanks for the reply, though.  If you think my approach is flat out wrong, then please let tell me :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18039398
There are quite a few things you can apply an hourly rate to, but other tasks you can't... how will the customer/client verify it took you 9hrs to penetrate into the site, or 5hrs to crack all the passwords etc... I charge the flat fee for single penetration and network mapping. I can sometimes create a better network diagram of the site than the client themselves. Once I get in it's basically reconnaissance after that. I document the steps it took to break-in (not all the steps it took, as many don't work, just the ones that paid off) and then I attempt to map the network out from that host, if I need to move to other host's to finish the map I get more written consent (if not consented to previously), after that I create a mitigation summary. When they want me looking at all hosts/offices/policies/procedures etc... then I go hourly as that can be verified. I penetrate remotely, then after that I come into the lan and do the rest. Wifi is an easy entry point, and I fall back to that if the web/vpn/firewall don't let me in within a reasonable amount of time.
When you have tools that can help automate your audit, I tend to go with flat rates, when I have to put "human hours" into something like website code review, physical security, and network mapping I use an hourly rate. It does vary from job to job, but thats pretty much what I do, probably won't work for everybody.
-rich
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now