mailing list archives
RE: Business justification for pentesting
From: "Michael Scheidell" <scheidell () secnap net>
Date: Tue, 30 Aug 2005 19:54:57 -0400
From: sectraq () gmail com [mailto:sectraq () gmail com]
Sent: Tuesday, August 30, 2005 12:30 PM
To: pen-test () securityfocus com
Subject: Business justification for pentesting
a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information
assets. In other words, i hear a pentester say: if a hacker
breaks in ur network, u will loose up to 40000$ for example.
how can he come up with such figures?
You really don't need to worry about penetration testing, or paying for
There are about 125,000 computers out there on the internet doing it for
you for free.
All you need to do is wait till your whole network crashes, the CEO
starts to scream and you see your company mentioned in the latest
reports on CNN.
It really only costs about $2000 if a computer gets hacked
(plus lost wages, lose of business, loss of customer confidence, plus
possibility that in 18 months it will be the main reason that you
finally went bankrupt)
Seriously, you really need a third party looking at your network from
How can you tell if your house if vulnerable? You left the window open?
How can you tell if someone broke into your house? Broken window.
How can you tell how much you will save if you do penetration testing?
You have to do it first, then decide how bad the problems they found are
and YOU need to decide what it would have cost your company if they
hadn't done it in the first place.
Don't try to justify pen testing UP THE CHAIN, if the cxx or board isn't
interested in protecting the company assets, it's a losing battle.
It really needs to start at the top as a cultural thing, especially
since most of your security vulnerabilities will be in the inside.
Something it doesn't sound like your management cares much about (or you
would not be asking the question).
As soon as they get hacked into, they will do penetration testing.
Just ask card systems, bank of new york, cnn, and anyone who has just
taken the firewall protection for granted.