Penetration Testing mailing list archives
Re: Business justification for pentesting
From: Lynx <lynx () enemy org>
Date: Tue, 30 Aug 2005 23:05:08 +0200
On Aug 30, 2005 at 1629 -0000, sectraq () gmail com appeared and said:
1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures?
If you look at the list at http://www.cert.org/tech_tips/win-UNIX-system_compromise.html and imagine that everyone involved really takes the necessary steps to secure evidence, analyse break-in, recover systems and restore them then you can think of a rough figure of downtime and work involved dealing with a security incident. This is one way of getting any figures.
2- are there any other means to justify pentesting for management except for $$$?
Reputation, trust (of customers and partners), liability.
3- are there any official statistics, figures etc. for justifying pentesting. ther more official it is the better.
I have yet to see a company that gladly publishes security related information such as system compromises. Apart from that the usual statistics and trends doesn't help you much when it comes individual setups. You may have a server and network topology that is "secure" from all the mainstream attacks, but it may have a weakness somewhere else.
4- any other information you guys might find helpful in justifying a pentest would be appriciated.
You might want to use another term than pen testing. This may sound ridiculous but I have heard more than once the following statement: "Pen testing? No, we don't need that, we just need someone who checks our security measures." Best, Lynx.
Current thread:
- Business justification for pentesting sectraq (Aug 30)
- RE: Business justification for pentesting Omar A. Herrera (Aug 30)
- Re: Business justification for pentesting Adam Chesnutt (Aug 30)
- Re: Business justification for pentesting Lynx (Aug 30)
- Re: Business justification for pentesting Irene Abezgauz (Aug 31)
- Re: Business justification for pentesting rmeijer (Aug 31)
- <Possible follow-ups>
- RE: Business justification for pentesting William Tarkington (Aug 30)
- Re: Business justification for pentesting Kevin Reiter (Aug 31)
- RE: Business justification for pentesting Michael Scheidell (Aug 30)
- Re: Business justification for pentesting Jan van Rensburg (Aug 31)
- RE: Business justification for pentesting Ha, Jason (Aug 31)