Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Business justification for pentesting

from [rmeijer] Network Security [Permanent Link]
Subject: Re: Business justification for pentesting
Date: Wed, 31 Aug 2005 14:46:31 +0200 (CEST) 
hi all,

a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such figures?


This is not something for a pentester to be concerned with in most cases.
The value of assets should be evaluated only in the context of a risk
assesment done by a skilled statistician, not by a skilled infosec
technisian.

In the past I've tried to bring together some of the
statistician/technisian/management infosec issues in a whitepaper on
risk assesment and incident response, but it has turend out to be
close to impossible to bring together these distinct views on infosec
in a way that not everyone thinks: 'that is the other guys specialty'.
You may wish to check out 'Security Incident Policy Enforcement' at
isecom.org to get somewhat of a grasp on this. The document focusses
on risk assesment in a IR context, but much of it can be seen in a
wider scope also.


2- are there any other means to justify pentesting for management except
for $$$?


Pentesting is just one of a wide range of security measures, there are
three ways to justify any security measures:

1  The projected financial footprint of the diverted risk is substantialy
   higher than the projected cost of the security measure.
2  The potential financial footprint of diverted risk would be very high
   and the projected cost of the measure not very substancial.
3) There is insufficient data to asses if either 1 or 2 is true, and the
   measure could supply this data.

As you see, only the third does not directly involve money as argument, but
I dont think pentesting could be categorized in that section very often.



3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.


In my research I have found no sign of any statistic information with
any usefull span that crosses company borders. This is very unfortunate,
as it makes risk assesments yield rather high spreads in their risk
densities, that makes building solid pollicies from them very dificult.
I personaly believe that this lack of statistics could be responsible for
a very large portion of overall infosec incident costs.


4- any other information you guys might find helpful in justifying a
pentest would be appriciated.

thnx in advance for ur help.

T.N
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Business justification for pentesting, Jan van Rensburg
Next by Date:  Re: Tcleo keylogger v0.3 released, Flavio A. Fernandez
Previous by Thread:  Re: Business justification for pentesting, Irene Abezgauz
Next by Thread:  RE: Business justification for pentesting, William Tarkington
Indexes:  [Date] [Thread] [Top] [All Lists]