Penetration Testing mailing list archives
RE: Business justification for pentesting
From: "Ha, Jason" <JHa () verisign com au>
Date: Wed, 31 Aug 2005 15:39:23 +1000
Hi T.N,
a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u will
loose up to 40000$ for example. how can he come up with such figures?
Well, if you want to sound really professional, you can use the following calculations (good to see the CISSP is providing some ROI >:) ): Firstly you have an asset (be it a server, people, database etc). This asset has an associated cost. This cost can either be a capital cost (the cost to acquire/replace the asset) or it could be a "loss realisation" cost (if we lost our database, that would cost us $X in lost revenue). Note, there are also intangible costs (loss of reputation etc, but they're much harder to calculate in your given circumstance). It's up to the business owners of those respective assets to give you the cost of the asset. It generally helps to hold some type of interview process with each of them to collect a full list of all the critical business assets. Now, you need to calculate the Exposure Factor, that is, the percentage of loss that a realised threat would have on that particular asset. For example, if you had a fire in the building and the server and all data on it became toast, then your EF would be 100% (a 100% loss). However, some threats may only realise a 10%, 20%, 30% EF etc. With those two values, you can derive the Single Loss Expectancy (SLE) for a given threat. SLE = Asset$ x EF%. So using our previous fire example again, our asset which may cost $4000 with an EF of 100% would = $4000 x 100% = $4000. Figures have more meaning if they represent a year, so you will then need to determine the Annual Rate of Occurrence (ARO), that is, how frequently a in a year a given threat is expected to occur. 0 meaning never in a year. Using these figures, you will then be able to calculate the Annualised Loss Expectancy (ALE) which is loss realised for a single asset, for a given threat over a single year. ALE = SLE x ARO. So to complete our example, assume that the threat only occurs twice a year. Hence, $4000 x 2 = $8000. So you could assume that for that one asset and that given threat, the organisation could anticipate a loss of up to $8000 a year. Obviously, an asset faces more than 1 threat, so by taking each asset and a large number of threats, it'll give you a full loss calculation for an organisation's assets.
2- are there any other means to justify pentesting for management
except for $$$? Pen testing is a very hard thing to justify alone (unless the organisation is releasing a home brew app that's publicly accessible and want to ensure it's robust before they bring it online). Pen testing needs to be incorporated into a whole Risk Management strategy, a lot of which includes the previous step of analysing assets and costs. The main problem is, what might not be vulnerable this minute, may be vulnerable in the very next minute. >:) However, as part of a full risk assessment, a pen test will allow you to do several things: * Reconfirm the _current_ relevant threats * Determine more realistically the EF of the asset * Most importantly, it will allow you to determine the effectiveness of the current counter measures (which not only includes technology, but also includes procedures - such as incident response etc). Many organisations like to claim that they "aren't vulnerable". Your question to them should be "how do you REALLY know?". One benefit of a pen test is to give the organisation visibility as to where certain weaknesses in their security posture lies.
3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better. Not sure about pen testing per-se, but the CSI-FBI annual survey is a good "official" indication of security statistics in general: http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml Best of luck. Jason -----Original Message----- From: sectraq () gmail com [mailto:sectraq () gmail com] Sent: Wednesday, 31 August 2005 2:30 AM To: pen-test () securityfocus com Subject: Business justification for pentesting hi all, a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures? 2- are there any other means to justify pentesting for management except for $$$? 3- are there any official statistics, figures etc. for justifying pentesting. ther more official it is the better. 4- any other information you guys might find helpful in justifying a pentest would be appriciated. thnx in advance for ur help. T.N
Current thread:
- Business justification for pentesting sectraq (Aug 30)
- RE: Business justification for pentesting Omar A. Herrera (Aug 30)
- Re: Business justification for pentesting Adam Chesnutt (Aug 30)
- Re: Business justification for pentesting Lynx (Aug 30)
- Re: Business justification for pentesting Irene Abezgauz (Aug 31)
- Re: Business justification for pentesting rmeijer (Aug 31)
- <Possible follow-ups>
- RE: Business justification for pentesting William Tarkington (Aug 30)
- Re: Business justification for pentesting Kevin Reiter (Aug 31)
- RE: Business justification for pentesting Michael Scheidell (Aug 30)
- Re: Business justification for pentesting Jan van Rensburg (Aug 31)
- RE: Business justification for pentesting Ha, Jason (Aug 31)