Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Business justification for pentesting

from [Michael Scheidell] Network Security [Permanent Link]
Subject: RE: Business justification for pentesting
Date: Tue, 30 Aug 2005 19:54:57 -0400 
-----Original Message-----
From: sectraq@gmail.com [mailto:sectraq@gmail.com] 
Sent: Tuesday, August 30, 2005 12:30 PM
To: pen-test@securityfocus.com
Subject: Business justification for pentesting


hi all,

a few classic question that i would appriciate any answers for. 
1- i would like to briefly know how to quantify information 
assets. In other words, i hear a pentester say: if a hacker 
breaks in ur network, u will loose up to 40000$ for example. 
how can he come up with such figures?


You really don't need to worry about penetration testing, or paying for
it.

There are about 125,000 computers out there on the internet doing it for
you for free.
All you need to do is wait till your whole network crashes, the CEO
starts to scream and you see your company mentioned in the latest
reports on CNN.

It really only costs about $2000 if a computer gets hacked
(plus lost wages, lose of business, loss of customer confidence, plus
possibility that in 18 months it will be the main reason that you
finally went bankrupt)

Seriously, you really need a third party looking at your network from
the outside.
How can you tell if your house if vulnerable? You left the window open?
How can you tell if someone broke into your house?  Broken window.

How can you tell how much you will save if you do penetration testing?

You have to do it first, then decide how bad the problems they found are
and YOU need to decide what it would have cost your company if they
hadn't done it in the first place.

Don't try to justify pen testing UP THE CHAIN, if the cxx or board isn't
interested in protecting the company assets, it's a losing battle.

It really needs to start at the top as a cultural thing, especially
since most of your security vulnerabilities will be in the inside.
Something it doesn't sound like your management cares much about (or you
would not be asking the question).

No problem.

As soon as they get hacked into, they will do penetration testing.
Just ask card systems, bank of new york, cnn, and anyone who has just
taken the firewall protection for granted.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Where are Windows "Enforce password history" passwords stored?, Steve A
Next by Date:  Re: Business justification for pentesting, Lynx
Previous by Thread:  Re: Business justification for pentesting, Kevin Reiter
Next by Thread:  Re: Business justification for pentesting, Jan van Rensburg
Indexes:  [Date] [Thread] [Top] [All Lists]