Penetration testing for small companies

Looking for the weaknesses in your systems is a critical part of protecting them against a slew of known threats. It’s only by identifying where the holes might be that you have a chance of patching them. The problem is that pen-testing can be expensive — because of the cost of the tools, the price of the specialists you need to run them, or both. For small companies, these costs can be prohibitive.

What exactly is penetration testing?

Penetration testing is looking for the vulnerabilities in your systems before the bad guys find them. This technology allows many organizations to keep their systems from being broken into. The key elements to good penetration testing include frequent updates (so the process “knows” about all the vulnerabilities discovered to date and can look for them), having someone competent at the helm to run the tests and capture the results, and a good team of system techs to prioritize the configuration changes that need to be made, the patches that need to be applied, etc. and to ensure that the weaknesses are addressed.

In addition, many penetration testing applications have the option of determining whether detected vulnerabilities can be exploited — by trying to exploit them. These tests might help to answer questions such as whether a discovered weakness might expose sensitive data or whether pushing into a discovered flaw might cause a system to crash. These tests are not just looking to see if some particular port is open or determine if you’re running an old version of some particular application. They’re attempting to assess the impact of these problems on you and your company.

One of the most worrisome things about cybersecurity is, after all, that new holes are being discovered all of the time. Running a vulnerability scan once or twice a year could leave you vulnerable to flaws that are discovered between those scans.

What are your options?

Even penetration testing “on the cheap” may not be as cheap as you might like to believe. Most penetration testing tools are fairly complex and the commercial tools are generally far more up-to-date and thorough than any you can get for free.

Your choices include:

• buying an expensive application and hiring a skilled cybersecurity specialist to manage it
• downloading a free pen-testing tool and hiring a skilled cybersecurity specialist to manage it
• contracting with a pen-testing firm to run your pen tests several times a year

and, of course, you still need to do the follow-up work to resolve the problems that are discovered!

Another option is to acquire a pen-testing tool that basically runs itself. I had a chance to explore such a tool — one that seems to be making its way into many small companies that can’t afford to hire someone with a salary expectation that exceeds $100K/year or contract for pen-testing services that might easily cost $3-4K a shot.

What is Neo?

Neo is a penetration testing device that attaches to your network and automatically configures itself to your network. The more advanced features are available for IT staff to manage if, for example, you want to have more control over when scans are done or which subnets are scanned. You can view a simple setup introduction here.

The photo above shows the appliance version of Neo. There’s also a VM version that was rolled out just recently. The appliances are “headless”, but support a web interface. They connect to the main servers to determine what tests to run. The tests can be customized via the UI if you want. Vulnerability insights are pulled from sources like exploit-db and CVE as well as some of Neo’s own resources.

The Neo is built in the US and even tests itself

Where did this device come from and why?

It all started with a guy who was working in the Middle East as a penetration tester — a guy with a family who realized it would be easier and safer to leave a tool in place and go back home. He started imagining a tool that could be set up to do the testing without him having to sit there to run it. And, eventually, Neo came into being.

Justin Farmer, Neo’s creator …

• didn’t like that only large companies could afford to do penetration testing
• realized during an ISIS invasion that doing penetration testing in place was often far too dangerous
• knew that his product had to be something that small companies could afford to acquire and use
• admitted that the product had to simple to set up and use if it was going to serve smaller companies

So, how easy is easy?

Neo can be set up with surprisingly little effort. Attach it to your network and it can discover its IP address using DHCP or you can assign one by connecting to the user interface. When a scan is run, you will have a view into the vulnerabilities discovered on your systems, see assessments of the risk levels of the problems, and get advice on how to resolve the detected problems. Many of its users simply plug it in and let it do its thing. They then check the web interface to see the results and determine the follow-up work that is needed using the directions provided.

Neo runs between $100 (small) and $500 (unlimited) a month depending on the size of your network. Small is up to 25 IPs.