Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Business justification for pentesting
From: Jan van Rensburg <jan.van.rensburg () epiuse com>
Date: Wed, 31 Aug 2005 14:26:20 +0200

Hi,

On 31 Aug 2005, at 1:54 AM, Michael Scheidell wrote:

hi all,

a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information
assets. In other words, i hear a pentester say: if a hacker
breaks in ur network, u will loose up to 40000$ for example.
how can he come up with such figures?

I prefer to evaluate risk with disaster scenarios this way (obviously simplified):
1. Construct a couple of scenarios of what might happen
2. Look at what the bottom line effect of each scenario is vs the status quo
3. The difference is what you are looking for

If some hacks say you billing server, the company will not necessarily go under, and neither will all the employees come to a standstill. They will use other, perhaps less efficient, ways to still do some part of their jobs. They might revert to using Excel instead of Accpac, or use faxes instead of electronic invoicing. Some customers might get wrongly invoiced, get upset and go to another vendor, but most likely not all of them, etc, etc. This approach takes some time and assumes you understand the business - which should be the starting point for any pentester in any case.

There's a very good paper by Kevin J Soo Hoo that touches on many of the cost quantification in infosec issues:
http://iis-db.stanford.edu/pubs/11900/soohoo.pdf

No doubt much more research is needed and will probably be driven by the insurance industry

Hope this helps,
Jan


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]