Penetration Testing mailing list archives
RE: Business justification for pentesting
From: "Michael Scheidell" <scheidell () secnap net>
Date: Tue, 30 Aug 2005 19:54:57 -0400
-----Original Message----- From: sectraq () gmail com [mailto:sectraq () gmail com] Sent: Tuesday, August 30, 2005 12:30 PM To: pen-test () securityfocus com Subject: Business justification for pentesting hi all, a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures?
You really don't need to worry about penetration testing, or paying for it. There are about 125,000 computers out there on the internet doing it for you for free. All you need to do is wait till your whole network crashes, the CEO starts to scream and you see your company mentioned in the latest reports on CNN. It really only costs about $2000 if a computer gets hacked (plus lost wages, lose of business, loss of customer confidence, plus possibility that in 18 months it will be the main reason that you finally went bankrupt) Seriously, you really need a third party looking at your network from the outside. How can you tell if your house if vulnerable? You left the window open? How can you tell if someone broke into your house? Broken window. How can you tell how much you will save if you do penetration testing? You have to do it first, then decide how bad the problems they found are and YOU need to decide what it would have cost your company if they hadn't done it in the first place. Don't try to justify pen testing UP THE CHAIN, if the cxx or board isn't interested in protecting the company assets, it's a losing battle. It really needs to start at the top as a cultural thing, especially since most of your security vulnerabilities will be in the inside. Something it doesn't sound like your management cares much about (or you would not be asking the question). No problem. As soon as they get hacked into, they will do penetration testing. Just ask card systems, bank of new york, cnn, and anyone who has just taken the firewall protection for granted.
Current thread:
- Business justification for pentesting sectraq (Aug 30)
- RE: Business justification for pentesting Omar A. Herrera (Aug 30)
- Re: Business justification for pentesting Adam Chesnutt (Aug 30)
- Re: Business justification for pentesting Lynx (Aug 30)
- Re: Business justification for pentesting Irene Abezgauz (Aug 31)
- Re: Business justification for pentesting rmeijer (Aug 31)
- <Possible follow-ups>
- RE: Business justification for pentesting William Tarkington (Aug 30)
- Re: Business justification for pentesting Kevin Reiter (Aug 31)
- RE: Business justification for pentesting Michael Scheidell (Aug 30)
- Re: Business justification for pentesting Jan van Rensburg (Aug 31)
- RE: Business justification for pentesting Ha, Jason (Aug 31)