Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Business justification for pentesting
From: "Ha, Jason" <JHa () verisign com au>
Date: Wed, 31 Aug 2005 15:39:23 +1000

Hi T.N,

a few classic question that i would appriciate any answers for. 
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will 
loose up to 40000$ for example. how can he come up with such figures?

Well, if you want to sound really professional, you can use the
following calculations (good to see the CISSP is providing some ROI >:)
):

Firstly you have an asset (be it a server, people, database etc). This
asset has an associated cost. This cost can either be a capital cost
(the cost to acquire/replace the asset) or it could be a "loss
realisation" cost (if we lost our database, that would cost us $X in
lost revenue). Note, there are also intangible costs (loss of reputation
etc, but they're much harder to calculate in your given circumstance).
It's up to the business owners of those respective assets to give you
the cost of the asset. It generally helps to hold some type of interview
process with each of them to collect a full list of all the critical
business assets.

Now, you need to calculate the Exposure Factor, that is, the percentage
of loss that a realised threat would have on that particular asset. For
example, if you had a fire in the building and the server and all data
on it became toast, then your EF would be 100% (a 100% loss). However,
some threats may only realise a 10%, 20%, 30% EF etc.

With those two values, you can derive the Single Loss Expectancy (SLE)
for a given threat. SLE = Asset$ x EF%.

So using our previous fire example again, our asset which may cost $4000
with an EF of 100% would = $4000 x 100% = $4000.

Figures have more meaning if they represent a year, so you will then
need to determine the Annual Rate of Occurrence (ARO), that is, how
frequently a in a year a given threat is expected to occur. 0 meaning
never in a year.

Using these figures, you will then be able to calculate the Annualised
Loss Expectancy (ALE) which is loss realised for a single asset, for a
given threat over a single year. ALE = SLE x ARO.

So to complete our example, assume that the threat only occurs twice a
year. Hence, $4000 x 2 = $8000. So you could assume that for that one
asset and that given threat, the organisation could anticipate a loss of
up to $8000 a year.

Obviously, an asset faces more than 1 threat, so by taking each asset
and a large number of threats, it'll give you a full loss calculation
for an organisation's assets.

2- are there any other means to justify pentesting for management
except for $$$?

Pen testing is a very hard thing to justify alone (unless the
organisation is releasing a home brew app that's publicly accessible and
want to ensure it's robust before they bring it online). Pen testing
needs to be incorporated into a whole Risk Management strategy, a lot of
which includes the previous step of analysing assets and costs.

The main problem is, what might not be vulnerable this minute, may be
vulnerable in the very next minute. >:) However, as part of a full risk
assessment, a pen test will allow you to do several things:

* Reconfirm the _current_ relevant threats
* Determine more realistically the EF of the asset
* Most importantly, it will allow you to determine the effectiveness of
the current counter measures (which not only includes technology, but
also includes procedures - such as incident response etc).

Many organisations like to claim that they "aren't vulnerable". Your
question to them should be "how do you REALLY know?". One benefit of a
pen test is to give the organisation visibility as to where certain
weaknesses in their security posture lies.

3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.

Not sure about pen testing per-se, but the CSI-FBI annual survey is a
good "official" indication of security statistics in general:

http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml


Best of luck.

Jason

-----Original Message-----
From: sectraq () gmail com [mailto:sectraq () gmail com] 
Sent: Wednesday, 31 August 2005 2:30 AM
To: pen-test () securityfocus com
Subject: Business justification for pentesting

hi all,

a few classic question that i would appriciate any answers for. 
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such
figures?

2- are there any other means to justify pentesting for management except
for $$$?

3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.

4- any other information you guys might find helpful in justifying a
pentest would be appriciated.

thnx in advance for ur help.

T.N
 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]