Penetration Testing mailing list archives
Re: SME risk assessment (Was: Bank Assessment)
From: fergus <fergus () cobbled net>
Date: Fri, 23 Apr 2004 23:02:31 +0100
On 23.04-09:57, Amit Deshmukh wrote: [ ... ]
... would anyone know of a simple risk assessment methodology that could be employed for small to medium businesses?
the problem is not the methodology it is the understanding. you need to understand the threat and risk on a number of levels to make an effective assessment. that is what you pay for at the end of the day; experience and knowledge. for a simple example, it would be difficult to implement a password policy if you do not understand the relevant issues; that comes down to users, distribution, environment, etc, etc. all these things are logical and if you have the necessary understanding then you do not need methodology - not for small businesses. it's basically an issue of common sense (once you can ably cover the issues). if you mean a vulnerability assessment or pen-test then you are better (for the small business sector) to simply use tools. nessus basically; it will be adequate for the target. the problem is that small companies have low value assets and most have very little relating to information/computers. even the ones that should know better (i.e. accountants and solicitors) are ill able to afford and digest a detailed report. they simply need a solution that puts them a couple of levels higher than the next guy. to summarise - perceived risk is low and therefore over investment in detailing actual risk is difficult, costly and unpopular. -- : fergus cameron : [ .] cobbled : : ^^^^^^@cobbled.net : [ ~][ ] .net : ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Bank Assessment Joe Smith (Apr 19)
- Re: Bank Assessment Max (Apr 21)
- RE: Bank Assessment Blake Wiedman (Apr 21)
- Re: Bank Assessment Ivan Arce (Apr 22)
- Re: Bank Assessment lists (Apr 23)
- RE: Bank Assessment c0d3r (Apr 22)
- RE: Bank Assessment Amit Deshmukh (Apr 23)
- RE: Bank Assessment Chuck Herrin (Apr 23)
- Re: SME risk assessment (Was: Bank Assessment) fergus (Apr 24)
- RE: Bank Assessment Blake Wiedman (Apr 23)
- Re: Bank Assessment Ivan Arce (Apr 22)
- <Possible follow-ups>
- RE: Bank Assessment James Williams (Apr 23)