Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How would you describe the risk if a company doesn't do penetration tests?

From: Gorgon Beast <gorgonbeast () hotmail com>
Date: Thu, 17 Sep 2009 11:00:41 -0700

Here is one that I've used with management when they didn't want to spend the dollars:

"Here's the scenario.  You have been hacked using a method you would have known about if you had a pen-test done.  The 
bad guys stole the company database that included all of the HR documents including SSN's and salaries, and the tables 
that held credit card information. In California, there is a full disclosure law.

How long do you think people will do business with you once this gets out?  What will this do to your reputation? How 
many lawsuits do you think will be brought against you?"





From a complaince point of view they run the risk of not being
complaint (because of PCI, local law, etc) but I need a better, juicer
"risk" description ;)



                                          
_________________________________________________________________
Hotmail® has ever-growing storage! Don’t worry about storage limits.
http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage_062009
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: