Penetration Testing mailing list archives
Re: Business justification for pentesting
From: rmeijer () xs4all nl
Date: Wed, 31 Aug 2005 14:46:31 +0200 (CEST)
hi all, a few classic question that i would appriciate any answers for. 1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures?
This is not something for a pentester to be concerned with in most cases. The value of assets should be evaluated only in the context of a risk assesment done by a skilled statistician, not by a skilled infosec technisian. In the past I've tried to bring together some of the statistician/technisian/management infosec issues in a whitepaper on risk assesment and incident response, but it has turend out to be close to impossible to bring together these distinct views on infosec in a way that not everyone thinks: 'that is the other guys specialty'. You may wish to check out 'Security Incident Policy Enforcement' at isecom.org to get somewhat of a grasp on this. The document focusses on risk assesment in a IR context, but much of it can be seen in a wider scope also.
2- are there any other means to justify pentesting for management except for $$$?
Pentesting is just one of a wide range of security measures, there are three ways to justify any security measures: 1 The projected financial footprint of the diverted risk is substantialy higher than the projected cost of the security measure. 2 The potential financial footprint of diverted risk would be very high and the projected cost of the measure not very substancial. 3) There is insufficient data to asses if either 1 or 2 is true, and the measure could supply this data. As you see, only the third does not directly involve money as argument, but I dont think pentesting could be categorized in that section very often.
3- are there any official statistics, figures etc. for justifying pentesting. ther more official it is the better.
In my research I have found no sign of any statistic information with any usefull span that crosses company borders. This is very unfortunate, as it makes risk assesments yield rather high spreads in their risk densities, that makes building solid pollicies from them very dificult. I personaly believe that this lack of statistics could be responsible for a very large portion of overall infosec incident costs.
4- any other information you guys might find helpful in justifying a pentest would be appriciated. thnx in advance for ur help. T.N
Current thread:
- Business justification for pentesting sectraq (Aug 30)
- RE: Business justification for pentesting Omar A. Herrera (Aug 30)
- Re: Business justification for pentesting Adam Chesnutt (Aug 30)
- Re: Business justification for pentesting Lynx (Aug 30)
- Re: Business justification for pentesting Irene Abezgauz (Aug 31)
- Re: Business justification for pentesting rmeijer (Aug 31)
- <Possible follow-ups>
- RE: Business justification for pentesting William Tarkington (Aug 30)
- Re: Business justification for pentesting Kevin Reiter (Aug 31)
- RE: Business justification for pentesting Michael Scheidell (Aug 30)
- Re: Business justification for pentesting Jan van Rensburg (Aug 31)
- RE: Business justification for pentesting Ha, Jason (Aug 31)