mailing list archives
Re: Business justification for pentesting
From: Irene Abezgauz <irene.abezgauz () gmail com>
Date: Wed, 31 Aug 2005 10:33:47 +0200
The answer to the question of "how much money will I lose if a hacker
breaks into the network" is a very complex one.
Quantifying losses requires full cooperation of the financial
department of the company and understanding of the company business
type. And even then, I do not believe it cannot be accurate to the
level of a single number. I think that any pentester today who comes
and says "if you get hacked you will lose 400k USD" is just not
There are so many factors to this calculation (and no, these are not
ordered according to importance)
First - the size of the hack. There is a huge difference between a
hacker who completely took over the network, getting root privileges
on many important servers etc, and a hacker who gained access to the
"Employee Yearly Trip to the North" located in the Intranet and that
shouldn't have been accessible externally.
Second - the type of the damage. CIA - Confidentiality, Integrity,
Availability. Which one of the three was compromised, and how much
each of these costs to the company.
Third - the _business_ impact - An online store might require high
availability, while the most important thing in an online banking
application is the data integrity. Therefore you need full
understanding of the business impact, of the company finances, and
which servers exactly were hacked. A hacker broke into a server
hosting marketing information in a large telecom. A big campaign was
copied and then launched by a competitor.
10% of the new cell users decided to join the other company, causing
potential losses of 400,000$ a year. Another 200,000$ were put in a
new marketing campaign, etc.
A hacker broke into a server hosting customer information in a large
bank, 5% of the customers moved to a bank in which they feel safer to
use online banking application (in an ideal world I guess), 5,000,000$
were spent in courts. Another 500,000$ were a fine paid to the
government following some law. 100,000$ were spent on fixing the
damages, having IT personnel running around and freaking out. etc.
There is a calculation that says Amazon makes X$ per hour. If Amazon
is down for an hour, they will probably lose Y$.
Now, knowing all the above you come to your management.
We are a company that does X. our most important asset is our Y. The
following scenarios are likely: T, K and F. In each of those we could
lose *BETWEEN* A and B money. Our reputation will suffer, and since
our business is J we'll lose Q-Z amount of money as a result. Also,
there is a law saying that companies of our sort should be G, meaning
we might lose this much in lawsuits. Our customers' database can get
stolen, which means we will suffer losses ranging from N-P. I am out
of letters so I guess you got the drift.
Talking the management into it means getting news items and cases
relevant to your company's business (stories that happened to similar
companies), getting numbers where you can (like the Brazil bank
incidents), getting statistics as for likeliness etc. Getting a bunch
of freaky numbers saying if we're a startup and someone steals our
code we can all go home.
The bottom line is - you cannot fully quantify it, and don't trust
anyone who says he does unless he can solid-prove it. On the other
hand, you can *estimate* it, throw in a bunch of numbers you can
gather from other similar stories and comparison to your company size
and type of business. And if the above fails, you can always quietly
take the CEO aside, and tell him that if someone breaks in they might
discover his bizarre attraction to cactuses and rubber ducks.
Application Security Consultant
On 30 Aug 2005 16:29:35 -0000, sectraq () gmail com <sectraq () gmail com> wrote:
a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In other words, i hear a pentester say: if a
hacker breaks in ur network, u will loose up to 40000$ for example. how can he come up with such figures?
2- are there any other means to justify pentesting for management except for $$$?
3- are there any official statistics, figures etc. for justifying pentesting. ther more official it is the better.
4- any other information you guys might find helpful in justifying a pentest would be appriciated.
thnx in advance for ur help.