![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
Re: SME risk assessment (Was: Bank Assessment)
From: "Jason High" <strongcypher () hotmail com>
Date: Mon, 26 Apr 2004 09:03:59 -0400
I work for a small business and couldn't disagree more. You're assuming that small business = small profit = small amount of risk. This is not true in many cases. The company that I work for is a multi-million dollar company that stores a great deal of very sensitive information, and therefore our risk is relatively high.
You also assume that because a company is small you only need to be equipped with a strong understanding of that businesses processes to perform a risk assessment. Again, I have to respectfully disagree. The size of a company does not necessarily dictate the complexity of a risk assessment. My company, again, is a prime example. We have many distinct divisions that perform a vast array of functions. Applying a methodology is extremely valuable in such situations to insure uniformity and to provide guidance to the party(ies) doing the risk assessment.
While I agree that a strong understanding of the company's business processes is extremely valuable, if not absolutely vital, I disagree that it is the only issue or that applying a methodology has no value to small businesses.
-- Jason E. High,RHCT,GSEC,MCP
From: fergus <fergus () cobbled net> To: pen-test () securityfocus com Subject: Re: SME risk assessment (Was: Bank Assessment) Date: Fri, 23 Apr 2004 23:02:31 +0100 On 23.04-09:57, Amit Deshmukh wrote: [ ... ] > ... would anyone know of > a simple risk assessment methodology that could be > employed for small to medium businesses? the problem is not the methodology it is the understanding. you need to understand the threat and risk on a number of levels to make an effective assessment. that is what you pay for at the end of the day; experience and knowledge. for a simple example, it would be difficult to implement a password policy if you do not understand the relevant issues; that comes down to users, distribution, environment, etc, etc. all these things are logical and if you have the necessary understanding then you do not need methodology - not for small businesses. it's basically an issue of common sense (once you can ably cover the issues). if you mean a vulnerability assessment or pen-test then you are better (for the small business sector) to simply use tools. nessus basically; it will be adequate for the target. the problem is that small companies have low value assets and most have very little relating to information/computers. even the ones that should know better (i.e. accountants and solicitors) are ill able to afford and digest a detailed report. they simply need a solution that puts them a couple of levels higher than the next guy. to summarise - perceived risk is low and therefore over investment in detailing actual risk is difficult, costly and unpopular. -- : fergus cameron : [ .] cobbled : : ^^^^^^@cobbled.net : [ ~][ ] .net : ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skillsof an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
_________________________________________________________________Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Re: SME risk assessment (Was: Bank Assessment) Jason High (Apr 26)
- <Possible follow-ups>
- Re: SME risk assessment (Was: Bank Assessment) miguel . dilaj (Apr 26)
- Re: SME risk assessment (Was: Bank Assessment) fergus (Apr 27)