Re: Business justification for pentesting

[Lynx <lynx () enemy org>]

On Aug 30, 2005 at 1629 -0000, sectraq () gmail com appeared and said:
> 1- i would like to briefly know how to quantify information assets. In
> other words, i hear a pentester say: if a hacker breaks in ur network,
> u will loose up to 40000$ for example. how can he come up with such
> figures?

If you look at the list at

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

and imagine that everyone involved really takes the necessary steps to
secure evidence, analyse break-in, recover systems and restore them then
you can think of a rough figure of downtime and work involved dealing
with a security incident. This is one way of getting any figures.

> 2- are there any other means to justify pentesting for management except for $$$?

Reputation, trust (of customers and partners), liability.

> 3- are there any official statistics, figures etc. for justifying
> pentesting. ther more official it is the better.

I have yet to see a company that gladly publishes security related
information such as system compromises. Apart from that the usual
statistics and trends doesn't help you much when it comes individual
setups. You may have a server and network topology that is "secure" from
all the mainstream attacks, but it may have a weakness somewhere else.

> 4- any other information you guys might find helpful in justifying a
> pentest would be appriciated.

You might want to use another term than pen testing. This may sound
ridiculous but I have heard more than once the following statement:

"Pen testing? No, we don't need that, we just need someone who checks
our security measures."

Best,
Lynx.