Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

The case for automatic penetration testing.

InfoSecurity Europe : 03 April, 2008  (Technical Article)
Ivan Arce of Core Security Technologies explains how automated penetration testing avoids costs and improves security.
A critical problem for public and private institutions is the increasing threat of attack. This is due to a combination of increasingly sophisticated and automated attack tools, the rapid increase in the number of vulnerabilities being discovered and the increasing connectivity of users. As systems are opened to employees, customers and trading partners, networks becomes more complex and most likely are more susceptible to a security breach. That is why information security is one of the most challenging and complex issues facing companies today
It's difficult to put a dollar figure on the cost of a security breach. Companies that experience breaches often don't report them, fearing negative consequences to their reputation and exploitation by their competitors. Even if they do report them, victims of a breach seldom know how to quantify their loss. But there are industry statistics available that can give you a rough idea of what it will cost your organisation if a breach does occur.

One of the best sources for computer crime information, also known as "cybercrime," in the United States is the 'CSI/FBI Computer Crime and Security Survey.' ("Cybercrime" includes the following categories: viruses, unauthorised access, theft of proprietary information, denial of service, insider net abuse, laptop theft, financial fraud, system penetration, sabotage and fraud.) This annual survey found that financial losses related to unauthorized access to information and theft of proprietary information are rapidly increasing. Together, they now account for close to one-half of the total annual explicit financial loss experienced by the survey respondents. And, if implicit costs (eg loss of sales due to negative corporate image) were included, these categories alone would account well over half the financial losses.

These recent trends in cybercrime make it more critical than ever that organisations acquire a true assessment of their security vulnerabilities so they can identify and address those vulnerabilities associated with their most valuable information assets. The most recent edition of this survey now estimates the average cost of a security breach to be $203,000. Note that the cost of a single serious breach can potentially be far worse than this figure discloses. For example, the average remediation cost to companies breached by the MS Blaster worm was $475,000. Larger companies reported losses up to $4,228,000.2 The recent, high-profile breach at ChoicePoint reportedly cost the company $11.4 million and a $6 sustained drop in its share price.

Industry statistics are a valuable starting point when calculating the cost of a breach, but clearly they don't reflect the unique characteristics of your business. For example, what is your organisation's reputation worth? How much will it cost your organization if your critical services go down for a day? How much could you save on outside consultant by bringing penetration testing in-house? When it comes to your business, only you can provide accurate answers to these questions.

Vulnerabilities and then attempting to address them based only on assumptions about risk. One of the easiest and fastest ways to obtain these answers, both initially, and on an on-going basis, is to perform a penetration test on your network.
A penetration test is an authorised, local attempt to 'hack' into a system, the only goal of which is to compromise security. The tester may use several methods to gain entry to the target network, often initially breaking into one relatively low priority section and then leveraging it to attack more sensitive areas. Your organisation is probably already running (or considering running) vulnerability scans on your network, and you may wonder what penetration testing offers you that vulnerability scanning does not. It's simple: A vulnerability assessment tells you only what an attacker can potentially do to your network. A penetration test tells you what an attacker can definitely do to your network.

That's because penetration tests exploit identified vulnerabilities, just as a hacker would. Unlike vulnerability scans, penetration tests leave little doubt as to what a hacker can or cannot do. Penetration tests eliminate the guesswork involved in protecting your network by providing you with the information you need to effectively prioritise your vulnerabilities.

Let's now look at the types of savings users of penetration testing products typically report:

- Direct Savings:.

1 Reduced spending on outside consultants.
2 Prioritised remediation efforts.
3 Increased staff productivity.
4 Avoid cost from network outages/downtime from security breach.
5 Ability to meet regulatory/audit requirements and avoid fines.

- Intangible Benefits:.

1 Improved security and associated peace of mind.
2 Ability to preserve corporate image and customer loyalty.
3 Ability to justify existing security investments.

Core Security Technologies dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo