Penetration Testing mailing list archives
Re: Business justification for pentesting
From: Jan van Rensburg <jan.van.rensburg () epiuse com>
Date: Wed, 31 Aug 2005 14:26:20 +0200
Hi, On 31 Aug 2005, at 1:54 AM, Michael Scheidell wrote:
hi all, a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures?
I prefer to evaluate risk with disaster scenarios this way (obviously simplified):
1. Construct a couple of scenarios of what might happen2. Look at what the bottom line effect of each scenario is vs the status quo
3. The difference is what you are looking forIf some hacks say you billing server, the company will not necessarily go under, and neither will all the employees come to a standstill. They will use other, perhaps less efficient, ways to still do some part of their jobs. They might revert to using Excel instead of Accpac, or use faxes instead of electronic invoicing. Some customers might get wrongly invoiced, get upset and go to another vendor, but most likely not all of them, etc, etc. This approach takes some time and assumes you understand the business - which should be the starting point for any pentester in any case.
There's a very good paper by Kevin J Soo Hoo that touches on many of the cost quantification in infosec issues:
http://iis-db.stanford.edu/pubs/11900/soohoo.pdfNo doubt much more research is needed and will probably be driven by the insurance industry
Hope this helps, Jan
Current thread:
- Business justification for pentesting sectraq (Aug 30)
- RE: Business justification for pentesting Omar A. Herrera (Aug 30)
- Re: Business justification for pentesting Adam Chesnutt (Aug 30)
- Re: Business justification for pentesting Lynx (Aug 30)
- Re: Business justification for pentesting Irene Abezgauz (Aug 31)
- Re: Business justification for pentesting rmeijer (Aug 31)
- <Possible follow-ups>
- RE: Business justification for pentesting William Tarkington (Aug 30)
- Re: Business justification for pentesting Kevin Reiter (Aug 31)
- RE: Business justification for pentesting Michael Scheidell (Aug 30)
- Re: Business justification for pentesting Jan van Rensburg (Aug 31)
- RE: Business justification for pentesting Ha, Jason (Aug 31)