Penetration Testing mailing list archives
Re: Business justification for pentesting
From: Irene Abezgauz <irene.abezgauz () gmail com>
Date: Wed, 31 Aug 2005 10:33:47 +0200
The answer to the question of "how much money will I lose if a hacker breaks into the network" is a very complex one. Quantifying losses requires full cooperation of the financial department of the company and understanding of the company business type. And even then, I do not believe it cannot be accurate to the level of a single number. I think that any pentester today who comes and says "if you get hacked you will lose 400k USD" is just not professional. There are so many factors to this calculation (and no, these are not ordered according to importance) First - the size of the hack. There is a huge difference between a hacker who completely took over the network, getting root privileges on many important servers etc, and a hacker who gained access to the "Employee Yearly Trip to the North" located in the Intranet and that shouldn't have been accessible externally. Second - the type of the damage. CIA - Confidentiality, Integrity, Availability. Which one of the three was compromised, and how much each of these costs to the company. Third - the _business_ impact - An online store might require high availability, while the most important thing in an online banking application is the data integrity. Therefore you need full understanding of the business impact, of the company finances, and which servers exactly were hacked. A hacker broke into a server hosting marketing information in a large telecom. A big campaign was copied and then launched by a competitor. 10% of the new cell users decided to join the other company, causing potential losses of 400,000$ a year. Another 200,000$ were put in a new marketing campaign, etc. A hacker broke into a server hosting customer information in a large bank, 5% of the customers moved to a bank in which they feel safer to use online banking application (in an ideal world I guess), 5,000,000$ were spent in courts. Another 500,000$ were a fine paid to the government following some law. 100,000$ were spent on fixing the damages, having IT personnel running around and freaking out. etc. etc. There is a calculation that says Amazon makes X$ per hour. If Amazon is down for an hour, they will probably lose Y$. Now, knowing all the above you come to your management. We are a company that does X. our most important asset is our Y. The following scenarios are likely: T, K and F. In each of those we could lose *BETWEEN* A and B money. Our reputation will suffer, and since our business is J we'll lose Q-Z amount of money as a result. Also, there is a law saying that companies of our sort should be G, meaning we might lose this much in lawsuits. Our customers' database can get stolen, which means we will suffer losses ranging from N-P. I am out of letters so I guess you got the drift. Talking the management into it means getting news items and cases relevant to your company's business (stories that happened to similar companies), getting numbers where you can (like the Brazil bank incidents), getting statistics as for likeliness etc. Getting a bunch of freaky numbers saying if we're a startup and someone steals our code we can all go home. The bottom line is - you cannot fully quantify it, and don't trust anyone who says he does unless he can solid-prove it. On the other hand, you can *estimate* it, throw in a bunch of numbers you can gather from other similar stories and comparison to your company size and type of business. And if the above fails, you can always quietly take the CEO aside, and tell him that if someone breaks in they might discover his bizarre attraction to cactuses and rubber ducks. Irene Abezgauz Application Security Consultant Hacktics Ltd. Mobile: +972-54-6545405 Web: www.hacktics.com On 30 Aug 2005 16:29:35 -0000, sectraq () gmail com <sectraq () gmail com> wrote:
hi all, a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures? 2- are there any other means to justify pentesting for management except for $$$? 3- are there any official statistics, figures etc. for justifying pentesting. ther more official it is the better. 4- any other information you guys might find helpful in justifying a pentest would be appriciated. thnx in advance for ur help. T.N
Current thread:
- Business justification for pentesting sectraq (Aug 30)
- RE: Business justification for pentesting Omar A. Herrera (Aug 30)
- Re: Business justification for pentesting Adam Chesnutt (Aug 30)
- Re: Business justification for pentesting Lynx (Aug 30)
- Re: Business justification for pentesting Irene Abezgauz (Aug 31)
- Re: Business justification for pentesting rmeijer (Aug 31)
- <Possible follow-ups>
- RE: Business justification for pentesting William Tarkington (Aug 30)
- Re: Business justification for pentesting Kevin Reiter (Aug 31)
- RE: Business justification for pentesting Michael Scheidell (Aug 30)
- Re: Business justification for pentesting Jan van Rensburg (Aug 31)
- RE: Business justification for pentesting Ha, Jason (Aug 31)