RE: Business justification for pentesting
From: Steve Manzuik (smanzuik_at_eeye.com)
Date: 08/31/05
- Previous message: email_at_securityfocus.com: "Re: Where are Windows "Enforce password history" passwords stored?"
- Maybe in reply to: Craig Wright: "RE: Business justification for pentesting"
- Next in thread: Vic N: "RE: Business justification for pentesting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Aug 2005 13:42:41 -0700 To: <sectraq@gmail.com>, <pen-test@securityfocus.com>
> 1- i would like to briefly know how to quantify information
> assets. In other words, i hear a pentester say: if a hacker
> breaks in ur network, u will loose up to 40000$ for example.
> how can he come up with such figures?
This almost sounds like a scare tactic to me. I have seen Pen-Tester's
pull numbers out of their backsides in an attempt to justify their over
priced rates. This is a risk management thing not a pen-test thing.
Assets need to be classified, IP needs to be documented, and then a
qualified person could put a price tag on it. But in reality this is
not exclusively connected to a pen-test and is more of a general task
that should be done as part of building a secure infrastructure.
> 2- are there any other means to justify pentesting for
> management except for $$$?
This depends on the organization. If your organization has not given a
thought to their IT security then a pen-test is a bit of a waste of
time/budget because it will tell you what you already know -- your
security sucks. That being said, if your organization has done what
they feel to be the right thing in creating a secure environment then a
pen-test is a good way to validate the money you have spend on various
security technologies.
Management can look at a pen-test as a bit of a report card on how their
various security initiatives have worked. In some cases a pen-test can
even be used to validate the functionality of incident response plans
and detection technologies.
> 3- are there any official statistics, figures etc. for
> justifying pentesting. ther more official it is the better.
Not really. In my opinion there are no statistics that cannot be proved
to be biased. But I guess the CSI/FBI survey may help your purpose
here.
Signed,
Steve Manzuik
eEye Digital Security
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
I read my email with Outlook
I read your email with Iris
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
- Previous message: email_at_securityfocus.com: "Re: Where are Windows "Enforce password history" passwords stored?"
- Maybe in reply to: Craig Wright: "RE: Business justification for pentesting"
- Next in thread: Vic N: "RE: Business justification for pentesting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
