Penetration Testing mailing list archives

Re: SME risk assessment (Was: Bank Assessment)

From: fergus <fergus () cobbled net>
Date: Fri, 23 Apr 2004 23:02:31 +0100

On 23.04-09:57, Amit Deshmukh wrote:
[ ... ]

                         ... would anyone know of
a simple risk assessment methodology that could be
employed for small to medium businesses?


the problem is not the methodology it is the
understanding.  you need to understand the threat
and risk on a number of levels to make an
effective assessment.

that is what you pay for at the end of the day;
experience and knowledge.

for a simple example, it would be difficult to implement
a password policy if you do not understand the
relevant issues; that comes down to users,
distribution, environment, etc, etc.  all these
things are logical and if you have the necessary
understanding then you do not need methodology -
not for small businesses.

it's basically an issue of common sense (once you
can ably cover the issues).

if you mean a vulnerability assessment or pen-test
then you are better (for the small business
sector) to simply use tools.  nessus basically; it
will be adequate for the target.

the problem is that small companies have low value
assets and most have very little relating to
information/computers.  even the ones that should
know better (i.e. accountants and solicitors) are
ill able to afford and digest a detailed report.
they simply need a solution that puts them a
couple of levels higher than the next guy.

to summarise - perceived risk is low and therefore
over investment in detailing actual risk is
difficult, costly and unpopular.

-- 
: fergus cameron                :   [ .]        cobbled    :
: ^^^^^^@cobbled.net            : [ ~][ ]             .net :

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

Current thread:

Bank Assessment Joe Smith (Apr 19)
- Re: Bank Assessment Max (Apr 21)
- RE: Bank Assessment Blake Wiedman (Apr 21)
  - Re: Bank Assessment Ivan Arce (Apr 22)
    - Re: Bank Assessment lists (Apr 23)
  - RE: Bank Assessment c0d3r (Apr 22)
    - RE: Bank Assessment Amit Deshmukh (Apr 23)
    - RE: Bank Assessment Chuck Herrin (Apr 23)
    - Re: SME risk assessment (Was: Bank Assessment) fergus (Apr 24)
    - RE: Bank Assessment Blake Wiedman (Apr 23)
- <Possible follow-ups>
- RE: Bank Assessment James Williams (Apr 23)