From: Steve Manzuik (smanzuik@eeye.com)
Date: Wed Aug 31 2005 - 16:42:41 EDT
> 1- i would like to briefly know how to quantify information
> assets. In other words, i hear a pentester say: if a hacker
> breaks in ur network, u will loose up to 40000$ for example.
> how can he come up with such figures?
This almost sounds like a scare tactic to me. I have seen Pen-Tester's
pull numbers out of their backsides in an attempt to justify their over
priced rates. This is a risk management thing not a pen-test thing.
Assets need to be classified, IP needs to be documented, and then a
qualified person could put a price tag on it. But in reality this is
not exclusively connected to a pen-test and is more of a general task
that should be done as part of building a secure infrastructure.
> 2- are there any other means to justify pentesting for
> management except for $$$?
This depends on the organization. If your organization has not given a
thought to their IT security then a pen-test is a bit of a waste of
time/budget because it will tell you what you already know -- your
security sucks. That being said, if your organization has done what
they feel to be the right thing in creating a secure environment then a
pen-test is a good way to validate the money you have spend on various
security technologies.
Management can look at a pen-test as a bit of a report card on how their
various security initiatives have worked. In some cases a pen-test can
even be used to validate the functionality of incident response plans
and detection technologies.
> 3- are there any official statistics, figures etc. for
> justifying pentesting. ther more official it is the better.
Not really. In my opinion there are no statistics that cannot be proved
to be biased. But I guess the CSI/FBI survey may help your purpose
here.
Signed,
Steve Manzuik
eEye Digital Security
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
I read my email with Outlook
I read your email with Iris
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:48 EDT