From: Kyle Starkey (kstarkey@siegeworks.com)
Date: Wed Aug 31 2005 - 14:05:59 EDT
I agree with the previous discussion on how to justify to the business the
need for Pen-Testing. In addtion to their comments there are some good
writeups in the SecurityFocus Infocus Pen-Testing section... They are from
2003, but still hold some good information...
http://www.securityfocus.com/infocus/1715
http://www.securityfocus.com/infocus/1718
Additionally it is a good idea to use something like Octave Risk assessment
methodology to assess your organizations risk posture. The use of Octave
will allow you to determine your critical assets and their risks. This sort
of data will not only allow your justify ROI on pen-testing, but will also
allow you to determine what assets to focus your security teams resources
on.
Cert discusses Octave:
http://www.cert.org/octave/
Hope these help...
-Kyle
Kyle R. Starkey
Senior Security Consultant
CISSP # 31718
Siegeworks LLC
-----Original Message-----
From: rmeijer@xs4all.nl [mailto:rmeijer@xs4all.nl]
Sent: Wednesday, August 31, 2005 6:47 AM
To: sectraq@gmail.com
Cc: pen-test@securityfocus.com
Subject: Re: Business justification for pentesting
> hi all,
>
> a few classic question that i would appriciate any answers for.
> 1- i would like to briefly know how to quantify information assets. In
> other words, i hear a pentester say: if a hacker breaks in ur network, u
> will loose up to 40000$ for example. how can he come up with such figures?
This is not something for a pentester to be concerned with in most cases.
The value of assets should be evaluated only in the context of a risk
assesment done by a skilled statistician, not by a skilled infosec
technisian.
In the past I've tried to bring together some of the
statistician/technisian/management infosec issues in a whitepaper on
risk assesment and incident response, but it has turend out to be
close to impossible to bring together these distinct views on infosec
in a way that not everyone thinks: 'that is the other guys specialty'.
You may wish to check out 'Security Incident Policy Enforcement' at
isecom.org to get somewhat of a grasp on this. The document focusses
on risk assesment in a IR context, but much of it can be seen in a
wider scope also.
> 2- are there any other means to justify pentesting for management except
> for $$$?
Pentesting is just one of a wide range of security measures, there are
three ways to justify any security measures:
1 The projected financial footprint of the diverted risk is substantialy
higher than the projected cost of the security measure.
2 The potential financial footprint of diverted risk would be very high
and the projected cost of the measure not very substancial.
3) There is insufficient data to asses if either 1 or 2 is true, and the
measure could supply this data.
As you see, only the third does not directly involve money as argument, but
I dont think pentesting could be categorized in that section very often.
> 3- are there any official statistics, figures etc. for justifying
> pentesting. ther more official it is the better.
In my research I have found no sign of any statistic information with
any usefull span that crosses company borders. This is very unfortunate,
as it makes risk assesments yield rather high spreads in their risk
densities, that makes building solid pollicies from them very dificult.
I personaly believe that this lack of statistics could be responsible for
a very large portion of overall infosec incident costs.
> 4- any other information you guys might find helpful in justifying a
> pentest would be appriciated.
>
> thnx in advance for ur help.
>
> T.N
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:48 EDT