RE: Business justification for pentesting

["Steve Manzuik" <smanzuik () eeye com>]

> 1- i would like to briefly know how to quantify information 
> assets. In other words, i hear a pentester say: if a hacker 
> breaks in ur network, u will loose up to 40000$ for example. 
> how can he come up with such figures?

This almost sounds like a scare tactic to me.  I have seen Pen-Tester's
pull numbers out of their backsides in an attempt to justify their over
priced rates.  This is a risk management thing not a pen-test thing.
Assets need to be classified, IP needs to be documented, and then a
qualified person could put a price tag on it.  But in reality this is
not exclusively connected to a pen-test and is more of a general task
that should be done as part of building a secure infrastructure.


> 2- are there any other means to justify pentesting for 
> management except for $$$?

This depends on the organization.  If your organization has not given a
thought to their IT security then a pen-test is a bit of a waste of
time/budget because it will tell you what you already know -- your
security sucks.  That being said, if your organization has done what
they feel to be the right thing in creating a secure environment then a
pen-test is a good way to validate the money you have spend on various
security technologies.

Management can look at a pen-test as a bit of a report card on how their
various security initiatives have worked.  In some cases a pen-test can
even be used to validate the functionality of incident response plans
and detection technologies.
 
> 3- are there any official statistics, figures etc. for 
> justifying pentesting. ther more official it is the better.

Not really.  In my opinion there are no statistics that cannot be proved
to be biased.  But I guess the CSI/FBI survey may help your purpose
here.


Signed,
Steve Manzuik
eEye Digital Security


http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner 
http://eEye.com/Iris - Network Traffic Analyzer 
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 


I read my email with Outlook
I read your email with Iris

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------