Consultancy: Frequently Asked Questions
How does the service work?
Can I try before I buy?
Who runs the audits?
How do I get a report?
Does my customer know I am using you?
What does it cost to use?
What discounts are available to me?
What is the per-customer charge?
Do I need to keep a continuous subscription?
How often can I run an audit for a customer?
How much do I charge my customers?
What is a waiver?
Why do I need to have each customer sign a waiver?
Can I set up my own site with your service?
After running your audit, are my customers secure?
How long does it take to audit a full class C network?
Will this take down my customer's network?
Which platforms do you audit?
How does the service work? |
|
The service is essentially a replacement for a commercial vulnerability
scanner. Rather than buying for many thousands of dollars a commercial
scanner, worrying about network connectivity, keeping the tool up to
date, ensuring it is operating properly and so on, we offer our audits
as a competitive replacement. By providing a web interface front-end
to a scanning system along with authentication mechanisms, we offer
users a way of using a vulnerability scanner in a cost effective manner.
No software to download, nothing to install. Everything gets done via
a browser over SSL to our site, from where you can request to run audits,
schedule audits for later times, look at reports, annotate reports, etc.
Can I try before I buy? |
|
Yes. You can register for a regular user account on our
system and try the interface to run any of our free audits. Consultants
get an almost identical interface, with the only exception being that
a different authentication mechanism applies for being able to audit
systems that you cannot surf from.
Who runs the audits? |
|
You do. We provide the facilities, but you are the one that logs into
your account on our servers, schedules or runs audits, looks at reports,
etc.
Does my customer know I am using you? |
|
Possibly. Since it is our scanning farm running the audits, a customer
that does a reverse DNS lookup on the IP addresses doing the scanning
will see them resolve back to *.securityspace.com.
Our reports, on the other hand, have an unbranded, printer friendly
version that does not indicate the SecuritySpace name or logo on it
anywhere. As well, the audit waiver that you must have customers sign
off on is unbranded. You are free to wrap the waiver in your own letterhead
so long as you do not change the text elements of the waiver. Reports
may be re-branded and edited in whatever fashion you choose.
What does it cost to use? |
|
There is a one-time, $250 USD setup fee to become a member of the
consultancy program. This is billed after you have been accepted and
after you have returned a signed consultancy agreement. Thereafter,
the costs for the services are listed on the site under each service
section.
What discounts are available to me? |
|
Consultants do not receive discounts off the list prices. What they do
get is the ability to leverage services they buy against an unlimited
number of customers. If you buy, for example, a one month unlimited
auditing package, you may audit as many customers as you want within
the duration of your subscription.
What is the per-customer charge? |
|
There is no per-customer charge. You may leverage your subscription
against an unlimited # of customers.
Do I need to keep a continuous subscription? |
|
No. You can, as an example, choose to buy a one month auditing package
every other month, or even less frequent. The only restriction is that
if you don't order any services for a full year, we
may not renew
your contract at the end of the year.
How often can I run an audit for a customer? |
|
As often as you like. We do not track your usage of the service on
a per customer basis. If you have an active subscription, you may use it.
How much do I charge my customers? |
|
That depends on the services you are providing. We set no restrictions
on how much you bill your customer, and in fact would prefer not to
know. As an obvious general rule, you will need to price your service
according to the value you provide.
What is an audit waiver? |
|
An audit waiver is a one page agreement that your customer will need to
sign off on before we allow you to audit your customer's network. It
essentially ensures that the customer is acknowledging the inherent risks
associated with an audit, is accepting those, and permitting you to go
ahead with the audits.
Why do I need to have each customer sign a waiver? |
|
It is a liability protection mechanism for both you and ourselves.
It ensures that the appropriate due diligence has been conducted
to allow the audit to proceed.
Can I set up my own site with your service? |
|
No. We don't sell or lease the software making up our services in
that fashion. If you wish to set up your own scanning services,
you will need to investigate other solutions available to do that.
After running your audit, are my customers secure? |
|
Even if an audit comes up clean, it is no guarantee that the system
audited is secure. A "canned" vulnerability scan, which is what we
provide, is a good start for determining the security posture of a
system, and we know of a number of organizations that use our services
as a sanity check against a full penetration test. But you should be
aware that it is only a start. There are many other security issues
to be dealt with, and where a consultant can provide added value.
These include things like determining if adequate policies and procedures
are in place, if proprietary applications are secure, and so on.
How long does it take to audit a full Class C network? |
|
This depends on several factors. For advanced audits, a rough rule of
thumb is that the default subscription will be audit anywhere from 4 to 15
IP addresses a day, depending on if the sytems being audited are firewalled,
the amount of latency on the network, packet loss, and so on.
The average is 10 audits per day, meaning that it would take about
25 days to audit a full Class C.
If faster audit times are required, you may purchase additional channels,
which allow you to audit more IPs concurrently. You may purchase as many
additional channels as you need to complete the audit in the time frame
required. Each channel gives you the ability to run one audit at a time.
Standard subscriptions come with a one channel allocation, while the
Advanced subscriptions come with a two channel allocation.
Will this take down my customer's network? |
|
Possibly, yes. Probably no. An audit is considered intrusive, and as such
there is always the risk for a service interruption, either on network
devices or in applications. We do take a number of steps to mitigate the
risk. The main one is that tests in the Denial of Service category, which
have the highest likelihood of impacting a network, are by default
disabled. Whether or not you enable them depends on your customer's
tolerance for an outage. We generally recommend that if a customer can
tolerate an outage, that the full test suite be run. Note that if our
tests bring down a network, then it is imperative that whatever is
causing the problem be resolved, since we don't do anything that any
other more malicious individual could also do.
Which platforms do you audit? |
|
Our service has tests for virtually every platform out there, and is not
limited to one particular operating system or application suite. You will
find tests for Windows, Linux, Unix, Macintosh, Web servers, Database
products, and more. If it can be remotely tested, we try to have the
test for it available.