Re: Business justification for pentesting

From: Jan van Rensburg (jan.van.rensburg_at_epiuse.com)
Date: 08/31/05

  • Next message: rmeijer_at_xs4all.nl: "Re: Business justification for pentesting" 
    Date: Wed, 31 Aug 2005 14:26:20 +0200
To: pen-test@securityfocus.com

    Hi,

    On 31 Aug 2005, at 1:54 AM, Michael Scheidell wrote:
    >
    > hi all,
    >
    > a few classic question that i would appriciate any answers for.
    > 1- i would like to briefly know how to quantify information
    > assets. In other words, i hear a pentester say: if a hacker
    > breaks in ur network, u will loose up to 40000$ for example.
    > how can he come up with such figures?

    I prefer to evaluate risk with disaster scenarios this way (obviously
    simplified):
    1. Construct a couple of scenarios of what might happen
    2. Look at what the bottom line effect of each scenario is vs the
    status quo
    3. The difference is what you are looking for

    If some hacks say you billing server, the company will not
    necessarily go under, and neither will all the employees come to a
    standstill. They will use other, perhaps less efficient, ways to
    still do some part of their jobs. They might revert to using Excel
    instead of Accpac, or use faxes instead of electronic invoicing. Some
    customers might get wrongly invoiced, get upset and go to another
    vendor, but most likely not all of them, etc, etc. This approach
    takes some time and assumes you understand the business - which
    should be the starting point for any pentester in any case.

    There's a very good paper by Kevin J Soo Hoo that touches on many of
    the cost quantification in infosec issues:
    http://iis-db.stanford.edu/pubs/11900/soohoo.pdf

    No doubt much more research is needed and will probably be driven by
    the insurance industry

    Hope this helps,
    Jan

  • Next message: rmeijer_at_xs4all.nl: "Re: Business justification for pentesting"