Penetration Testing mailing list archives
RE: How would you describe the risk if a company doesn't do penetration tests?
From: Gorgon Beast <gorgonbeast () hotmail com>
Date: Thu, 17 Sep 2009 11:00:41 -0700
Here is one that I've used with management when they didn't want to spend the dollars: "Here's the scenario. You have been hacked using a method you would have known about if you had a pen-test done. The bad guys stole the company database that included all of the HR documents including SSN's and salaries, and the tables that held credit card information. In California, there is a full disclosure law. How long do you think people will do business with you once this gets out? What will this do to your reputation? How many lawsuits do you think will be brought against you?"
From a complaince point of view they run the risk of not being complaint (because of PCI, local law, etc) but I need a better, juicer "risk" description ;)
_________________________________________________________________ Hotmail® has ever-growing storage! Don’t worry about storage limits. http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage_062009 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Gorgon Beast (Sep 17)
- RE: How would you describe the risk if a company doesn't do penetration tests? Frye, Dan (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Trojacek (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? JoePete (Sep 17)
- Re: How would you describe the risk if a company doesn't do penetration tests? Cor Rosielle (Sep 22)
- Re: How would you describe the risk if a company doesn't do penetration tests? Sebastiaan (Sep 22)