Penetration Testing mailing list archives
RE: Business justification for pentesting
From: "Steve Manzuik" <smanzuik () eeye com>
Date: Wed, 31 Aug 2005 13:42:41 -0700
1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures?
This almost sounds like a scare tactic to me. I have seen Pen-Tester's pull numbers out of their backsides in an attempt to justify their over priced rates. This is a risk management thing not a pen-test thing. Assets need to be classified, IP needs to be documented, and then a qualified person could put a price tag on it. But in reality this is not exclusively connected to a pen-test and is more of a general task that should be done as part of building a secure infrastructure.
2- are there any other means to justify pentesting for management except for $$$?
This depends on the organization. If your organization has not given a thought to their IT security then a pen-test is a bit of a waste of time/budget because it will tell you what you already know -- your security sucks. That being said, if your organization has done what they feel to be the right thing in creating a secure environment then a pen-test is a good way to validate the money you have spend on various security technologies. Management can look at a pen-test as a bit of a report card on how their various security initiatives have worked. In some cases a pen-test can even be used to validate the functionality of incident response plans and detection technologies.
3- are there any official statistics, figures etc. for justifying pentesting. ther more official it is the better.
Not really. In my opinion there are no statistics that cannot be proved to be biased. But I guess the CSI/FBI survey may help your purpose here. Signed, Steve Manzuik eEye Digital Security http://eEye.com/Blink - End-Point Vulnerability Prevention http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities I read my email with Outlook I read your email with Iris ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Business justification for pentesting Craig Wright (Sep 01)
- <Possible follow-ups>
- Re: Business justification for pentesting Leveque, Vincent E. (Sep 01)
- RE: Business justification for pentesting Craig Wright (Sep 01)
- Re: Business justification for pentesting Kevin Reiter (Sep 02)
- RE: Business justification for pentesting Steve Manzuik (Sep 01)
- RE: Business justification for pentesting Vic N (Sep 01)
- RE: Business justification for pentesting Kyle Starkey (Sep 01)
- RE: Business justification for pentesting Craig Wright (Sep 02)
- RE: Business justification for pentesting Vic N (Sep 02)
- RE: Business justification for pentesting Michael Gargiullo (Sep 02)
- RE: Business justification for pentesting Craig Wright (Sep 05)
- RE: Business justification for pentesting Vic N (Sep 05)
- RE: Business justification for pentesting Craig Wright (Sep 06)