Penetration Testing mailing list archives
RE: Business justification for pentesting
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Tue, 30 Aug 2005 18:48:41 -0500
-----Original Message----- From: sectraq () gmail com [mailto:sectraq () gmail com] hi all, a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures? 2- are there any other means to justify pentesting for management except for $$$? 3- are there any official statistics, figures etc. for justifying pentesting. ther more official it is the better. 4- any other information you guys might find helpful in justifying a pentest would be appriciated. thnx in advance for ur help. T.N
In order to provide more useful information to justify you pentest, you will need to get some information from your client first. For example, what is the cost of loosing this information or staying out of business for a couple of hours? Many clients will even feel you are bragging if you just show them numbers. However most will appreciate the fact that you recognize that you don't know the details of their business but know your own business well and are able to use that knowledge in other environments after you learn from them. A better approach in my opinion is to give your potential client the tools for them to do the math. In many cases, it is not necessary to provide a number. For example, most banks know very well the risks of having certain types of incidents. You can also remind them of what has happened to other similar companies (e.g. CardSystems case for e-banking and e-commerce). In any case, doing a reasonable research of your client and their business before showing up is advisable. Another good reason for not providing a number is that you will eventually deny being liable for intrusions an incidents after your pentest. Simply because the pentest can't guarantee that this won't happen or that you will discover all and every vulnerability out there. So, It is ok to say: "Look, these are the risks and this is what might happen to companies like yours, let me check out to see if there are any vulnerabilities that are exploitable from the outside using procedures and techniques similar to those of a hacker but with the benefits of having repeatable results, blah blah blah". Regards, Omar Herrera
Current thread:
- Business justification for pentesting sectraq (Aug 30)
- RE: Business justification for pentesting Omar A. Herrera (Aug 30)
- Re: Business justification for pentesting Adam Chesnutt (Aug 30)
- Re: Business justification for pentesting Lynx (Aug 30)
- Re: Business justification for pentesting Irene Abezgauz (Aug 31)
- Re: Business justification for pentesting rmeijer (Aug 31)
- <Possible follow-ups>
- RE: Business justification for pentesting William Tarkington (Aug 30)
- Re: Business justification for pentesting Kevin Reiter (Aug 31)
- RE: Business justification for pentesting Michael Scheidell (Aug 30)
- Re: Business justification for pentesting Jan van Rensburg (Aug 31)
- RE: Business justification for pentesting Ha, Jason (Aug 31)