Re: The Return on Investment of Good Security

["adeel hussain" <ad33lh () gmail com>]

Hello Everyone,

The topic seems to be shifting from ROI to quality of service (in
relation to vulnerability assessments or pen tests).  Perhaps we need
to keep in mind that the scope of any engagement is critical to its
impact and relevance to our security posture.  If I engage a crack
tiger team to penetrate my crown jewel DB then there are probably
going to be certain assumptions, one - I have secured it to the best
of my ability.  Two that lower level assessments and tests have been
performed to eliminate the "obvious" holes.  Three that the time of
these highly trained and expensive talents will be focused on the
stuff I can not learn by pointing Nessus and metasploit at it.

All these and a thousand other variables should be determined by your
existing setup, the history of the systems involved (security involved
and known threats) and the value of the systems and data they
contain/process.  Good and Bad are extremely subjective terms, perhaps
we should focus on cost effective.  Have the Nessus specialist do your
Vuln assessment for his/her price, have the security service providers
review the overall system for their price and have the "Tiger" teams
attack specific targets (perhaps via less well guarded systems) for
their price.  No one system, service, person or philosophy will
protect you against everything but a coordinated effort by those you
determine are required can provide satisfaction that you have done
what is reasonable to secure your system.  After that it is all
incident handling and damage control.

Adeel

On Mon, Jan 5, 2009 at 3:56 PM, Mercurio, Michael D (Dante)
<michael.mercurio () verizonbusiness com> wrote:
> The article is basically stating you get what you pay for. The problem
> is the measurement of a 'good' vs. 'bad' service is not as easy as just
> comparing pricing. To make your point, the vendor needs to provide
> 'quality' service and I'm assuming you are making the argument that your
> company is the 'quality' vendor that costs more, but I have seen many
> high priced vendors who did not have a clue.
>
> Simple example, I once found default SNMP read/write access to a bank
> core switch that was missed by a previous 'nationally known quality'
> vendor who charged twice as much. In order to justify a higher price,
> you need to educate people on what qualifies as a 'good' vs. 'bad'
> vendor besides price.
>
> You might want to touch on items such as:
> 1) Review and compare scopes of work to ensure they are both doing the
> same thing.
> 2) Review a sample report to ensure you will be getting something of
> quality back.
> 3) Ask for sample resumes of consultants that will be conducting the
> assessment.
> 4) Ask to contact some references.
>
> The items above will tell you more about a 'quality' vendor than the
> price of the assessment and also provide more reasons why an assessment
> will cost more.
>
> M. Dante Mercurio, CISSP, CCNA
> http://www.mercurio.ws
> http://advinsecurity.wordpress.com
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Adriel T. Desautels
> Sent: Friday, January 02, 2009 6:46 PM
> To: pen-test list
> Cc: security-basics () securityfocus com
> Subject: The Return on Investment of Good Security
>
> Latest blog entry for those who care. This one compares the Return on
> Investment of good security services to the Return on Investment of poor
> quality security services.  As usual comments and criticisms are welcome
> and appreciated.
>
> Direct link as requested:
>
> http://snosoft.blogspot.com/2009/01/cost-of-good-security-is-fraction-of
> .html
>
>
>        Adriel T. Desautels
>        ad_lists () netragard com
>         --------------------------------------
>
>        Subscribe to our blog
>         http://snosoft.blogspot.com