RE: Business justification for pentesting

From: Michael Scheidell (scheidell@secnap.net)
Date: Tue Aug 30 2005 - 19:54:57 EDT

• Next message: Lynx: "Re: Business justification for pentesting"
• Previous message: Steve A: "RE: Where are Windows "Enforce password history" passwords stored?"
• Maybe in reply to: sectraq@gmail.com: "Business justification for pentesting"
• Next in thread: Jan van Rensburg: "Re: Business justification for pentesting"
• Reply: Jan van Rensburg: "Re: Business justification for pentesting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: sectraq@gmail.com [mailto:sectraq@gmail.com]
> Sent: Tuesday, August 30, 2005 12:30 PM
> To: pen-test@securityfocus.com
> Subject: Business justification for pentesting
>
>
> hi all,
>
> a few classic question that i would appriciate any answers for.
> 1- i would like to briefly know how to quantify information
> assets. In other words, i hear a pentester say: if a hacker
> breaks in ur network, u will loose up to 40000$ for example.
> how can he come up with such figures?

You really don't need to worry about penetration testing, or paying for
it.

There are about 125,000 computers out there on the internet doing it for
you for free.
All you need to do is wait till your whole network crashes, the CEO
starts to scream and you see your company mentioned in the latest
reports on CNN.

It really only costs about $2000 if a computer gets hacked
(plus lost wages, lose of business, loss of customer confidence, plus
possibility that in 18 months it will be the main reason that you
finally went bankrupt)

Seriously, you really need a third party looking at your network from
the outside.
How can you tell if your house if vulnerable? You left the window open?
How can you tell if someone broke into your house? Broken window.

How can you tell how much you will save if you do penetration testing?

You have to do it first, then decide how bad the problems they found are
and YOU need to decide what it would have cost your company if they
hadn't done it in the first place.

Don't try to justify pen testing UP THE CHAIN, if the cxx or board isn't
interested in protecting the company assets, it's a losing battle.

It really needs to start at the top as a cultural thing, especially
since most of your security vulnerabilities will be in the inside.
Something it doesn't sound like your management cares much about (or you
would not be asking the question).

No problem.

As soon as they get hacked into, they will do penetration testing.
Just ask card systems, bank of new york, cnn, and anyone who has just
taken the firewall protection for granted.

• Next message: Lynx: "Re: Business justification for pentesting"
• Previous message: Steve A: "RE: Where are Windows "Enforce password history" passwords stored?"
• Maybe in reply to: sectraq@gmail.com: "Business justification for pentesting"
• Next in thread: Jan van Rensburg: "Re: Business justification for pentesting"
• Reply: Jan van Rensburg: "Re: Business justification for pentesting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:48 EDT