Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SME risk assessment (Was: Bank Assessment)

From: "Jason High" <strongcypher () hotmail com>
Date: Mon, 26 Apr 2004 09:03:59 -0400
I work for a small business and couldn't disagree more. You're assuming that small business = small profit = small amount of risk. This is not true in many cases. The company that I work for is a multi-million dollar company that stores a great deal of very sensitive information, and therefore our risk is relatively high.
You also assume that because a company is small you only need to be equipped with a strong understanding of that businesses processes to perform a risk assessment. Again, I have to respectfully disagree. The size of a company does not necessarily dictate the complexity of a risk assessment. My company, again, is a prime example. We have many distinct divisions that perform a vast array of functions. Applying a methodology is extremely valuable in such situations to insure uniformity and to provide guidance to the party(ies) doing the risk assessment.
While I agree that a strong understanding of the company's business processes is extremely valuable, if not absolutely vital, I disagree that it is the only issue or that applying a methodology has no value to small businesses. 
--
Jason E. High,RHCT,GSEC,MCP


From: fergus <fergus () cobbled net>
To: pen-test () securityfocus com
Subject: Re: SME risk assessment (Was: Bank Assessment)
Date: Fri, 23 Apr 2004 23:02:31 +0100

On 23.04-09:57, Amit Deshmukh wrote:
[ ... ]
>                          ... would anyone know of
> a simple risk assessment methodology that could be
> employed for small to medium businesses?

the problem is not the methodology it is the
understanding.  you need to understand the threat
and risk on a number of levels to make an
effective assessment.

that is what you pay for at the end of the day;
experience and knowledge.

for a simple example, it would be difficult to implement
a password policy if you do not understand the
relevant issues; that comes down to users,
distribution, environment, etc, etc.  all these
things are logical and if you have the necessary
understanding then you do not need methodology -
not for small businesses.

it's basically an issue of common sense (once you
can ably cover the issues).

if you mean a vulnerability assessment or pen-test
then you are better (for the small business
sector) to simply use tools.  nessus basically; it
will be adequate for the target.

the problem is that small companies have low value
assets and most have very little relating to
information/computers.  even the ones that should
know better (i.e. accountants and solicitors) are
ill able to afford and digest a detailed report.
they simply need a solution that puts them a
couple of levels higher than the next guy.

to summarise - perceived risk is low and therefore
over investment in detailing actual risk is
difficult, costly and unpopular.

--
: fergus cameron                :   [ .]        cobbled    :
: ^^^^^^@cobbled.net            : [ ~][ ]             .net :

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: