.

Loaded Question

<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Sat Jun 04, 2011 10:34 pm

Loaded Question

I know this will be a loaded question in a site devoted to white hat hackers, so here it goes.

I'm doing research for class on getting the best ROI on a pentest. In your experience how receptive have your organizations/targets been to conducting pentests?

Have you seen value to the pentest?

I know loaded.  Have fun and thanks for the input.
Mike Conway
CISSP
CompTia Security +
C|EH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sun Jun 05, 2011 10:06 am

Re: Loaded Question

Loaded question for sure!
In your experience how receptive have your organizations/targets been to conducting pentests?


Outside of compliance drivers, it obviously depends on the organization. Progressive or information technology centric companies I think see more value and thus are receptive. I am currently working with a client that is as such but their main drivers are their client requirements since they are a private company. I have seen lots of other companies that see absolutely no value because IS Managers say their networks are secure.

Ironically, with all the high profile attacks lately (Lulzsec) as soon as the main stream media catches on - it will impact how organizations look at pentests. The main stream media will get these stories, screw them up, and scare people beyond belief. This is always a good thing for Information Security people. All of a sudden if this stuff hits the Wall Street Journal, executives begin to panic...regardless, if you've been telling them for years to get a pentest... Reactive IT, isn't that what we're all used to?  ;D

Have you seen value to the pentest?

Assuming the pen test company doesn't just deliver Nessus scan results and actually does a pen test, there is definitely value.

Unfortunately, the gap between modern technology controls and what the bad guys can do is huge. The thing in the middle of that gap are people. I think most of us would agree that the easiest way to get into a network is via social engineering. What usually will come out of a pentest is, "Hey, you need a security awareness program for your employees."

My 2 cents and why I think Info Sec is going to just keep exploding.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Sun Jun 05, 2011 8:38 pm

Re: Loaded Question

Personally I think the ROI model for security investments is flawed for a number of reasons. I've been meaning to write a paper on this topic for awhile. I'll followup on this topic when i have a bit more time to explain my thoughts, but ask yourself whether standard rules for ROI really apply for security investments. Then ask yourself if you really have sufficient data to answer that question.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to Opinions

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software