Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Business justification for pentesting

from [Irene Abezgauz] Network Security [Permanent Link]
Subject: Re: Business justification for pentesting
Date: Wed, 31 Aug 2005 10:33:47 +0200 
The answer to the question of "how much money will I lose if a hacker
breaks into the network" is a very complex one.

Quantifying losses requires full cooperation of the financial
department of the company and understanding of the company business
type. And even then, I do not believe it cannot be accurate to the
level of a single number. I think that any pentester today who comes
and says "if you get hacked you will lose 400k USD" is just not
professional.

There are so many factors to this calculation (and no, these are not
ordered according to importance)

First - the size of the hack. There is a huge difference between a
hacker who completely took over the network, getting root privileges
on many important servers etc, and a hacker who gained access to the
"Employee Yearly Trip to the North" located in the Intranet and that
shouldn't have been accessible externally.

Second - the type of the damage. CIA - Confidentiality, Integrity,
Availability. Which one of the three was compromised, and how much
each of these costs to the company.

Third - the _business_ impact - An online store might require high
availability, while the most important thing in an online banking
application is the data integrity. Therefore you need full
understanding of the business impact, of the company finances, and
which servers exactly were hacked. A hacker broke into a server
hosting marketing information in a large telecom. A big campaign was
copied and then launched by a competitor.

10% of the new cell users decided to join the other company, causing
potential losses of 400,000$ a year. Another 200,000$ were put in a
new marketing campaign, etc.

A hacker broke into a server hosting customer information in a large
bank, 5% of the customers moved to a bank in which they feel safer to
use online banking application (in an ideal world I guess), 5,000,000$
were spent in courts. Another 500,000$ were a fine paid to the
government following some law. 100,000$ were spent on fixing the
damages, having IT personnel running around and freaking out. etc.
etc.

 

There is a calculation that says Amazon makes X$ per hour. If Amazon
is down for an hour, they will probably lose Y$.

 

Now, knowing all the above you come to your management.

We are a company that does X. our most important asset is our Y. The
following scenarios are likely: T, K and F. In each of those we could
lose *BETWEEN* A and B money. Our reputation will suffer, and since
our business is J we'll lose Q-Z amount of money as a result. Also,
there is a law saying that companies of our sort should be G, meaning
we might lose this much in lawsuits. Our customers' database can get
stolen, which means we will suffer losses ranging from N-P. I am out
of letters so I guess you got the drift.

 

Talking the management into it means getting news items and cases
relevant to your company's business (stories that happened to similar
companies), getting numbers where you can (like the Brazil bank
incidents), getting statistics as for likeliness etc. Getting a bunch
of freaky numbers saying if we're a startup and someone steals our
code we can all go home.

 

The bottom line is - you cannot fully quantify it, and don't trust
anyone who says he does unless he can solid-prove it. On the other
hand, you can *estimate* it, throw in a bunch of numbers you can
gather from other similar stories and comparison to your company size
and type of business. And if the above fails, you can always quietly
take the CEO aside, and tell him that if someone breaks in they might
discover his bizarre attraction to cactuses and rubber ducks.

 
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com

 



On 30 Aug 2005 16:29:35 -0000, sectraq@gmail.com <sectraq@gmail.com> wrote:



hi all,

a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In other 
words, i hear a pentester say: if a hacker breaks in ur network, u will loose 
up to 40000$ for example. how can he come up with such figures?

2- are there any other means to justify pentesting for management except for 
$$$?

3- are there any official statistics, figures etc. for justifying pentesting. 
ther more official it is the better.

4- any other information you guys might find helpful in justifying a pentest 
would be appriciated.

thnx in advance for ur help.

T.N
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Where are Windows "Enforce password history" passwords stored?, totiebash
Next by Date:  RE: Where are Windows "Enforce password history" passwords stored?, Nick Duda
Previous by Thread:  Re: Business justification for pentesting, Lynx
Next by Thread:  Re: Business justification for pentesting, rmeijer
Indexes:  [Date] [Thread] [Top] [All Lists]