Penetration Testing mailing list archives
Re: Business justification for pentesting
From: "Adam Chesnutt" <icetre () digitalfreezer net>
Date: Tue, 30 Aug 2005 15:47:42 -0400
On 30 Aug 2005 16:29:35 -0000, sectraq wrote
hi all, a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures?
Well, to be honest. Many people and places just pull impressive sounding figures out of their butt. I hear more than 80% of the statistics, including this one, are exactly that. ;) But on a more serious note. One way to go about this is to figure out what the normal amount of income generated by having the system do it's job optimally. For example, if an online bookseller takes in 300 orders a day on average, and each order averages $10. Then the web site in question takes in an average of $3000/day. So if the machine is broken into then right there, you've got the starting loss of 3k a day. now lets assume, this fictional company has a team of 10 people, making an average of $30/hour. That comes up to $300/hour. If your machine is down for a full day and took 8 hours to repair, you have a net loss of $5400. This is simple math. Of course, it's really hard sometimes to put price on this stuff, sometimes it's easy. Sometimes it's even easier to just point to another company that had similar problems and suggest their doom might become yours. ie "Worldcom had a similar issue, and because of the liability, they were succesfully sued for 10 million"
2- are there any other means to justify pentesting for management except for $$$?
Problem is: That's all most management really cares about, The bottom line. Not just business loss, but appearances and only how appearances will affect the stock price/sales figures/etc. You could conceivably sell it based on being the responsible thing to do, but something tells me you'll be even more successful with liability, and monetary scare tactics.
3- are there any official statistics, figures etc. for justifying pentesting. ther more official it is the better.
Not that I'm aware of, maybe someone should create a global security testing site, that continually scans the Internet looking for security problems and publishes the statistics. Kinda like if you were to cross netcraft with a smurf amplifier top 10 list. I could be wrong though, and maybe there is some kind of published statistics. The problem is that usually along with security problems comes finger pointing, blame assignment, and then the usual cover up. So I would have to say, any real stats wouldn't be very trustworthy.
4- any other information you guys might find helpful in justifying a pentest would be appriciated.
They're great fun to charge $375/billable hour for months on end. ;) With the usual, cleanup and reaudit process, you can keep it up for well over a year if your good. I usually go for the whole liability/legal problems angle. Very quickly puts the fear of god in the hearts of most businessmen.
thnx in advance for ur help. T.N
Current thread:
- Business justification for pentesting sectraq (Aug 30)
- RE: Business justification for pentesting Omar A. Herrera (Aug 30)
- Re: Business justification for pentesting Adam Chesnutt (Aug 30)
- Re: Business justification for pentesting Lynx (Aug 30)
- Re: Business justification for pentesting Irene Abezgauz (Aug 31)
- Re: Business justification for pentesting rmeijer (Aug 31)
- <Possible follow-ups>
- RE: Business justification for pentesting William Tarkington (Aug 30)
- Re: Business justification for pentesting Kevin Reiter (Aug 31)
- RE: Business justification for pentesting Michael Scheidell (Aug 30)
- Re: Business justification for pentesting Jan van Rensburg (Aug 31)
- RE: Business justification for pentesting Ha, Jason (Aug 31)