Thursday, April 12, 2012

Pentesting-Companies are running scared

Companies are running scared from the cyber mafia threat.  The media has a lot to do with the perceived cyber mafia threat by over blowing it. Overblown or not is relative to your perception and the reality of whether you got hacked and how much your loss is.

The thing that has been observed by myself and is puzzling is the number of offers I get to do penetration testing. The offers come in requesting a pentest.  A company (I have seen very large and small do the same thing) goes to middlemen recruiters to put out a penetration testing job description that they need to buy a pentest and are willing to hire someone a a dollar rate per hour, etc. And this is puzzling to me because it sets up the project with no ending set up beforehand.  A better way is for the company to catch their breath, look at their IT infrastructure inventory to count the number of domains and IP addresses within those networks plus cloud and mobile devices and then write up a very specific and exacting statement of work detailing their objective and the number of hours they want spent on pentesting.  They then put out the solicitation and get bids are request both technical proposals and cost proposals to do the job.  Selection is made by analyzing the technical proposal and the cost proposal.  Firm-fixed price contract is signed and one company or pentester is selected.  By doing this simple exercise, the company has defined their IT risk and the residual risk they are willing to accept.  Without the statement of work, technical and cost proposals, firm-fixed price contract the work is open-ended.  The statement of work and the contract defines the length of time and hours spent trying to hack in.  At the end of the work and no hack has been accomplished the company could assume that a hacker would have to take about the same time and money, depending on the expertise of the hacker to break in to their system.  This procedure for hiring a pentest puts it into a risk and cost perspective. Any other way is chaos.

 https://myexploit.wordpress.com

1 comment:

  1. Problem is, from experience, most companies, CTO and CSO don't have a clue on how to do Threat/Risk Analysis or even use the concepts to their benefit. Without that, every single security project is something of a ground-up design and test...

    ReplyDelete