Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Business justification for pentesting

from [Omar A. Herrera] Network Security [Permanent Link]
Subject: RE: Business justification for pentesting
Date: Tue, 30 Aug 2005 18:48:41 -0500 



-----Original Message-----
From: sectraq@gmail.com [mailto:sectraq@gmail.com]
hi all,

a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such figures?

2- are there any other means to justify pentesting for management except
for $$$?

3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.

4- any other information you guys might find helpful in justifying a
pentest would be appriciated.

thnx in advance for ur help.

T.N


In order to provide more useful information to justify you pentest, you will
need to get some information from your client first. For example, what is
the cost of loosing this information or staying out of business for a couple
of hours? Many clients will even feel you are bragging if you just show them
numbers. However most will appreciate the fact that you recognize that you
don't know the details of their business but know your own business well and
are able to use that knowledge in other environments after you learn from
them.

A better approach in my opinion is to give your potential client the tools
for them to do the math. In many cases, it is not necessary to provide a
number. For example, most banks know very well the risks of having certain
types of incidents. You can also remind them of what has happened to other
similar companies (e.g. CardSystems case for e-banking and e-commerce). In
any case, doing a reasonable research of your client and their business
before showing up is advisable.

Another good reason for not providing a number is that you will eventually
deny being liable for intrusions an incidents after your pentest. Simply
because the pentest can't guarantee that this won't happen or that you will
discover all and every vulnerability out there. 

So, It is ok to say: "Look, these are the risks and this is what might
happen to companies like yours, let me check out to see if there are any
vulnerabilities that are exploitable from the outside using procedures and
techniques similar to those of a hacker but with the benefits of having
repeatable results, blah blah blah".

Regards,

Omar Herrera
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Where are Windows "Enforce password history" passwords stored?, dave kleiman
Next by Date:  P2P Tools and Shared Directory Tools, nightstorm
Previous by Thread:  Business justification for pentesting, sectraq
Next by Thread:  Re: Business justification for pentesting, Adam Chesnutt
Indexes:  [Date] [Thread] [Top] [All Lists]