SlideShare una empresa de Scribd logo

How to Justify Your Security Assessment Budget

Rapid7
Rapid7

Penetration testing has been established as a standard security tool in the past years: While the topic was mostly used in the military and intelligence services until recently, penetration testing is now an integral part of regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Penetration testing is now even featured in movies and TV shows. This is not surprising since penetration testing is not only an exciting field to word in but also tangible business benefits. Penetration testing experts seem to have a bright future. One topic that a lot of technical IT professionals have problems with - maybe you as well - is selling security to their non-technical management. This white paper aims to help you with this endeavor: explaining the benefits of penetration testing to the business and securing the necessary budget. To download a free Metasploit demo, click here: http://www.rapid7.com/products/metasploit/download.jsp

Tecnología
1 de 6
Descargar para leer sin conexión
2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Introduction Penetration testing has been established as a standard security practice in recent years: while the topic was originally used in the military and intelligence services, penetration testing is now an essential part of regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Penetration testing is now even featured in movies and TV shows. This is not surprising since penetration testing is not only an exciting field to work in, but also offers tangible business benefits. Penetration testing experts seem to have a bright future. One topic that a lot of technical IT professionals have problems with – maybe you as well – is selling security to their non-technical management. This white paper aims to help you with this by explaining the benefits of penetration testing in relevance to the business so you can secure the necessary budget. How to Explain Penetration Testing to Your Boss We often hear from technical IT folks that communicating the benefit of a penetration test is difficult, especially to a business audience. “You want me to authorize you to break into our systems?” they ask. Everyone is reluctant to agree to things they are not familiar with. It can help to use analogies to explain how penetration testing works: how do you know whether cars are safe? Even the most experienced engineers will find it hard to accurately predict all aspects of security without a crash test. Likewise, you should carry out penetration testing regularly on important systems so you can detect where your systems are vulnerable. You have to find these vulnerabilities before criminals, cyber punks, and even spies can harm your enterprise. Penetration tests are one of the tools for responsible IT management to identify and mitigate risks. Don’t We Already Have a Firewall? “We’ve spent all this money and you’re still telling me that you don’t know whether our systems are secure?” your manager might say. In addition, they may challenge that you should know your systems well enough to know their weaknesses? Not really. IT systems are more complex than ever: organically grown and connected with the outside world at many points. In many networks, it is very difficult for one individual to have a clear view of all assets. The most talented network specialists can still make mistakes and overlook hard to find security issues. To complicate matters, attackers are increasingly stealthier and the signs of a breach are not always obvious. We need an acid test, a reality check, a quality control for our network’s security. Penetration tests are such a quality assurance test for security to achieve, well, “security assurance”. It verifies that all our firewalls, permission systems, intrusion detection systems, and data loss prevention solutions work as expected. The business of fear Let’s be honest, security is primarily sold on the fear of something bad happening. If a breach occurs how will business continuity be affected? What will it cost? How bad could it be? These are the questions penetration testing seeks to answer for you. The end result is completion of a cost benefit analysis for purchasing security controls. The cost benefit analysis is calculated by totaling the cost of a single loss or breach, multiplied by breach likelihood, and comparing that to the price of security controls. Penetration tests help to identify the cost by revealing what exactly can be breached. The likelihood can be judged by how easy systems were to compromise during the penetration test. This is how you obtain the potential annual costs for deficient security.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com We have enough data to support this: the Ponemon Institute, Verizon Business, Forrester Research, and the FBI periodically publish data. They calculate the likelihood of a data breach, the costs of system downtime, the value of stolen/deleted/manipulated data, legal costs, and revenue impact from lost existing and future customers. Currently, the Ponemon Institute estimates the cost per lost customer data set at about US$204. If your database contains 10,000 customer records, this works out as just over US$2 million in damages. These numbers are certainly helpful, but they’re often not usable for IT professionals in large enterprises because they’re so large that nobody believes that they’re realistic. Also, the numbers were almost exclusively generated in the United States, where heavy compliance regulation has driven up the cost of data breaches, so they’re often not accepted by business audiences in other countries, although this is changing as more countries are introducing ever stricter regulations. Also bear in mind that these numbers must be weighed against the entire IT security budget, not only a single penetration test. Security as a Success Factor Selling penetration tests with fear is possible then, but there are also other ways, which may resonate better with your management because selling through fear could be interpreted as “black mailing”. Not a good approach for a business relationship. Penetration Testing to Refine Vulnerability Management One possibility is to demonstrate that penetration testing can reduce the costs of a vulnerability management program. Many enterprises already have an established program for vulnerability management but cannot remediate all vulnerabilities because there are simply too many. Vulnerability scanners never have trouble finding vulnerabilities – the issue is to know which ones are important. By using penetration testing software such as Metasploit, you can verify which vulnerabilities are exploitable and must therefore be remediated first. This refinement of your processes not only ensures that the most important security issues are fixed first, but also reduces the cost of your vulnerability management program because you can identify, and therefore ignore, non-exploitable vulnerabilities that don’t pose a risk to your infrastructure. Compliance Compliance should ideally be achieved through good security. In reality it is used as a bridge for IT security professionals to communicate the need for security budget with business managers. Managers know that their division has to comply with certain regulations to avoid penalties. On the other hand, IT security professionals know that they can get additional budget if the business has compliance needs. Compliance is not equal to security, but the compliance budget can, if correctly used, achieve higher security. Business Continuity Most business cases for penetration testing relate to what happens if data gets stolen. Almost none take into account the cost of systems being brought down or how it could their public image. Simply ask the question: “How would it impact our organization if our ERP system were down for a week?” Your managers will find this easier to imagine than their customer data being on sale on a hacking website. Even the costs should be easier to calculate. Corporate Reputation A company’s reputation, represented by its brand, can take a huge hit in a data breach, but it’s also one of the hardest things to calculate in hard dollars. Imagine that all buildings of the Coca-Cola company burn down today.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Someone is offering you to buy the rights to use the brand Coca-Cola in the future to sell beverages. What would this right be worth to you? Although the entire enterprise has ceased to exist, the brand still has a certain value. Many companies invest a lot of money for advertising, especially when products are generic, for example bank accounts. Unless your best buddy works as a customer representative in one of the banks, your perception of the company and your trust relationship with the brand are probably the biggest factors in making a decision. What happens when the trusted relationship to “your brand” is damaged by a data breach? As a consumer, your privacy has been violated when your online bookshop inadvertently publishes your purchasing history of the past three years. Maybe you even have to cancel your credit card. If the competitor’s product is virtually identical with the one you’re using now, the emotional decision is simple: You’re switching. This has direct impact on the revenue of the organization that made the error. How Do You Calculate a Business Case? There are approaches to calculating the business case for penetration testing, including the payback period, net present value, and internal rate of return. I’d like to offer more pragmatic ways to justify your security budget. A business case is very simple: you compare what is with what could be. “What could be” is your suggestion. If this suggestion costs less money (or generates more revenue) than “what is”, you have a business case. In IT security, business cases can be hard to calculate – but it’s possible. It really depends on your scenario. Get Buy-in With Business Jiu-Jitsu Alternatively, how about some business Jiu-Jitsu: don’t suggest the penetration test in a vacuum, rather make it part of a larger project. Select a project that is currently on the list of management goals of your CIO. If you don’t know your CIO’s goals, just ask him – and offer your help! Let’s assume your CIO has to integrate 20% of suppliers into the ERP system via web services this quarter. You can now offer your help with this project and build in a penetration test as part of the project’s requirements. Of course, you cannot just test the ERP system’s web services, but have to review the entire system. That way, you align yourself with the business and become a trusted adviser in rolling out new technology to support business goals - securely. Introducing Penetration Testing to the Organization If you are currently not conducting penetration tests, you currently don’t have any perceptible costs. To build a business case, you therefore have to calculate the costs of a data breach or a system failure and multiply it with its likelihood. Alas, in this scenario your arguments are reduced to fear. An example: Your ERP system contains 10,000 customer data sets. According to the Ponemon Institute, the costs per lost data set is US$204, equivalent to a total cost of US$2,040,000. We’ll estimate that a data breach is likely to happen every 10 years. The likelihood is therefore 10%. The annual costs for a data breach are therefore US$2,040,000 x 10% = US$204,000. Alternatively, let’s calculate what the downtime of your ERP system would cost. Let’s assume the cost of the downtime is US$1 million per day and the system would be down for 3 days. With a likelihood of 10%, this works out as 3 x US$1 million x 10% = US$300,000. Compared to these potential costs broken down annually, your costs for a penetration test and subsequent security controls might be attractive. The question is whether your calculations will be regarded as realistic.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Penetration Tests and Vulnerability Management If you’re introducing penetration tests to reduce the remediation costs of your vulnerability management program, the calculation becomes very different: Let’s assume you have 3 network administrators who cost an average of US$65 per hour. If they spend 20% of their time installing updates, this costs the company about US$78,000 (50 weeks x 40 hours per week x 3 people x 20%). If we can reduce their time investment by half, the company saves US$39,000 per year. You should also factor into this that the company is now focusing on vulnerabilities that have been identified as real risks because they are exploitable, so the infrastructure is also better protected. Rapid7’s portfolio gives you the best integration of vulnerability management with penetration testing to deliver great Security Risk Intelligence™. Taking Penetration Testing In-house Maybe you’ve been conducting penetration tests with an external consulting company and you now want to take these in-house to save money. You may not know this, but you can even take the penetration tests mandated by PCI DSS requirement 11.3 internal if you follow a few guidelines (check out this blog post). The calculation for taking penetration testing in-house is easy because you can simply compare the external costs to new internal costs, including licensing costs, training, and hourly costs. When looking at the external costs, bear in mind that you’ll also carry internal hourly costs for the selection and meetings with external consultants in addition to their consulting fees. Rapid7 offers both penetration testing services and products. Especially if you’re conducting frequent internal penetration tests, you may want to check out Metasploit Pro, the commercial Metasploit edition, which enables you to carry out penetration tests more efficiently, testing a larger number of machines at a lower cost. Now Add It All Up If more than one business case applies to you, add up the benefits. Most likely, you can make an even more compelling argument if you can leverage the licensing and training costs for several benefits. Penetration Testing Goals When you start a penetration test, it’s also important to have a clear goal, for example: • Demonstrating security issues in the infrastructure to gain management attention and support for new security programs • Reducing costs of a vulnerability management program • Creating a baseline for a new CIO or CISO/CSO • Deciding where security budget should be spent to optimally protect the infrastructure • Testing response mechanisms of IDS, IPS, and DLP systems • Complying with regulations such as PCI DSS
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Summary In the same way that you should get a regular health check to live responsibly, penetration testing should become a best practice for responsible companies. Metasploit is the leading solution for penetration testing – with more than a million downloads each year. Testing your infrastructure’s security level with Metasploit is as close to simulating a realistic attack as you will get. With Metasploit Pro, you not only reduce the effort, and therefore cost to carry out a penetration test, but you’ll also be able to scale penetration tests much easier to larger networks. Metasploit Pro offers team collaboration with consolidated reporting, supporting more than 50,000 hosts and 1,000 sessions at a time. It integrates with Nexpose and other vulnerability scanners so you can take your vulnerability management program to the next level. To get your free trial of Metasploit Pro, go to http://www.rapid7.com/downloads/metasploit.jsp. About Metasploit A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world’s largest, public collection of quality-assured exploits. To learn more about Metasploit or for a free trial, visit www.rapid7.com/metasploit. About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.

Recomendados

Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 

Recomendados

Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionRapid7
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessRapid7
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Más contenido relacionado

Más de Rapid7

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionRapid7
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessRapid7
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 

Más de Rapid7 (12)

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's Effectiveness
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL Injection
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIO
 

Último

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Último (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

How to Justify Your Security Assessment Budget

  • 1. 2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER
  • 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Introduction Penetration testing has been established as a standard security practice in recent years: while the topic was originally used in the military and intelligence services, penetration testing is now an essential part of regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Penetration testing is now even featured in movies and TV shows. This is not surprising since penetration testing is not only an exciting field to work in, but also offers tangible business benefits. Penetration testing experts seem to have a bright future. One topic that a lot of technical IT professionals have problems with – maybe you as well – is selling security to their non-technical management. This white paper aims to help you with this by explaining the benefits of penetration testing in relevance to the business so you can secure the necessary budget. How to Explain Penetration Testing to Your Boss We often hear from technical IT folks that communicating the benefit of a penetration test is difficult, especially to a business audience. “You want me to authorize you to break into our systems?” they ask. Everyone is reluctant to agree to things they are not familiar with. It can help to use analogies to explain how penetration testing works: how do you know whether cars are safe? Even the most experienced engineers will find it hard to accurately predict all aspects of security without a crash test. Likewise, you should carry out penetration testing regularly on important systems so you can detect where your systems are vulnerable. You have to find these vulnerabilities before criminals, cyber punks, and even spies can harm your enterprise. Penetration tests are one of the tools for responsible IT management to identify and mitigate risks. Don’t We Already Have a Firewall? “We’ve spent all this money and you’re still telling me that you don’t know whether our systems are secure?” your manager might say. In addition, they may challenge that you should know your systems well enough to know their weaknesses? Not really. IT systems are more complex than ever: organically grown and connected with the outside world at many points. In many networks, it is very difficult for one individual to have a clear view of all assets. The most talented network specialists can still make mistakes and overlook hard to find security issues. To complicate matters, attackers are increasingly stealthier and the signs of a breach are not always obvious. We need an acid test, a reality check, a quality control for our network’s security. Penetration tests are such a quality assurance test for security to achieve, well, “security assurance”. It verifies that all our firewalls, permission systems, intrusion detection systems, and data loss prevention solutions work as expected. The business of fear Let’s be honest, security is primarily sold on the fear of something bad happening. If a breach occurs how will business continuity be affected? What will it cost? How bad could it be? These are the questions penetration testing seeks to answer for you. The end result is completion of a cost benefit analysis for purchasing security controls. The cost benefit analysis is calculated by totaling the cost of a single loss or breach, multiplied by breach likelihood, and comparing that to the price of security controls. Penetration tests help to identify the cost by revealing what exactly can be breached. The likelihood can be judged by how easy systems were to compromise during the penetration test. This is how you obtain the potential annual costs for deficient security.
  • 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com We have enough data to support this: the Ponemon Institute, Verizon Business, Forrester Research, and the FBI periodically publish data. They calculate the likelihood of a data breach, the costs of system downtime, the value of stolen/deleted/manipulated data, legal costs, and revenue impact from lost existing and future customers. Currently, the Ponemon Institute estimates the cost per lost customer data set at about US$204. If your database contains 10,000 customer records, this works out as just over US$2 million in damages. These numbers are certainly helpful, but they’re often not usable for IT professionals in large enterprises because they’re so large that nobody believes that they’re realistic. Also, the numbers were almost exclusively generated in the United States, where heavy compliance regulation has driven up the cost of data breaches, so they’re often not accepted by business audiences in other countries, although this is changing as more countries are introducing ever stricter regulations. Also bear in mind that these numbers must be weighed against the entire IT security budget, not only a single penetration test. Security as a Success Factor Selling penetration tests with fear is possible then, but there are also other ways, which may resonate better with your management because selling through fear could be interpreted as “black mailing”. Not a good approach for a business relationship. Penetration Testing to Refine Vulnerability Management One possibility is to demonstrate that penetration testing can reduce the costs of a vulnerability management program. Many enterprises already have an established program for vulnerability management but cannot remediate all vulnerabilities because there are simply too many. Vulnerability scanners never have trouble finding vulnerabilities – the issue is to know which ones are important. By using penetration testing software such as Metasploit, you can verify which vulnerabilities are exploitable and must therefore be remediated first. This refinement of your processes not only ensures that the most important security issues are fixed first, but also reduces the cost of your vulnerability management program because you can identify, and therefore ignore, non-exploitable vulnerabilities that don’t pose a risk to your infrastructure. Compliance Compliance should ideally be achieved through good security. In reality it is used as a bridge for IT security professionals to communicate the need for security budget with business managers. Managers know that their division has to comply with certain regulations to avoid penalties. On the other hand, IT security professionals know that they can get additional budget if the business has compliance needs. Compliance is not equal to security, but the compliance budget can, if correctly used, achieve higher security. Business Continuity Most business cases for penetration testing relate to what happens if data gets stolen. Almost none take into account the cost of systems being brought down or how it could their public image. Simply ask the question: “How would it impact our organization if our ERP system were down for a week?” Your managers will find this easier to imagine than their customer data being on sale on a hacking website. Even the costs should be easier to calculate. Corporate Reputation A company’s reputation, represented by its brand, can take a huge hit in a data breach, but it’s also one of the hardest things to calculate in hard dollars. Imagine that all buildings of the Coca-Cola company burn down today.
  • 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Someone is offering you to buy the rights to use the brand Coca-Cola in the future to sell beverages. What would this right be worth to you? Although the entire enterprise has ceased to exist, the brand still has a certain value. Many companies invest a lot of money for advertising, especially when products are generic, for example bank accounts. Unless your best buddy works as a customer representative in one of the banks, your perception of the company and your trust relationship with the brand are probably the biggest factors in making a decision. What happens when the trusted relationship to “your brand” is damaged by a data breach? As a consumer, your privacy has been violated when your online bookshop inadvertently publishes your purchasing history of the past three years. Maybe you even have to cancel your credit card. If the competitor’s product is virtually identical with the one you’re using now, the emotional decision is simple: You’re switching. This has direct impact on the revenue of the organization that made the error. How Do You Calculate a Business Case? There are approaches to calculating the business case for penetration testing, including the payback period, net present value, and internal rate of return. I’d like to offer more pragmatic ways to justify your security budget. A business case is very simple: you compare what is with what could be. “What could be” is your suggestion. If this suggestion costs less money (or generates more revenue) than “what is”, you have a business case. In IT security, business cases can be hard to calculate – but it’s possible. It really depends on your scenario. Get Buy-in With Business Jiu-Jitsu Alternatively, how about some business Jiu-Jitsu: don’t suggest the penetration test in a vacuum, rather make it part of a larger project. Select a project that is currently on the list of management goals of your CIO. If you don’t know your CIO’s goals, just ask him – and offer your help! Let’s assume your CIO has to integrate 20% of suppliers into the ERP system via web services this quarter. You can now offer your help with this project and build in a penetration test as part of the project’s requirements. Of course, you cannot just test the ERP system’s web services, but have to review the entire system. That way, you align yourself with the business and become a trusted adviser in rolling out new technology to support business goals - securely. Introducing Penetration Testing to the Organization If you are currently not conducting penetration tests, you currently don’t have any perceptible costs. To build a business case, you therefore have to calculate the costs of a data breach or a system failure and multiply it with its likelihood. Alas, in this scenario your arguments are reduced to fear. An example: Your ERP system contains 10,000 customer data sets. According to the Ponemon Institute, the costs per lost data set is US$204, equivalent to a total cost of US$2,040,000. We’ll estimate that a data breach is likely to happen every 10 years. The likelihood is therefore 10%. The annual costs for a data breach are therefore US$2,040,000 x 10% = US$204,000. Alternatively, let’s calculate what the downtime of your ERP system would cost. Let’s assume the cost of the downtime is US$1 million per day and the system would be down for 3 days. With a likelihood of 10%, this works out as 3 x US$1 million x 10% = US$300,000. Compared to these potential costs broken down annually, your costs for a penetration test and subsequent security controls might be attractive. The question is whether your calculations will be regarded as realistic.
  • 5. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Penetration Tests and Vulnerability Management If you’re introducing penetration tests to reduce the remediation costs of your vulnerability management program, the calculation becomes very different: Let’s assume you have 3 network administrators who cost an average of US$65 per hour. If they spend 20% of their time installing updates, this costs the company about US$78,000 (50 weeks x 40 hours per week x 3 people x 20%). If we can reduce their time investment by half, the company saves US$39,000 per year. You should also factor into this that the company is now focusing on vulnerabilities that have been identified as real risks because they are exploitable, so the infrastructure is also better protected. Rapid7’s portfolio gives you the best integration of vulnerability management with penetration testing to deliver great Security Risk Intelligence™. Taking Penetration Testing In-house Maybe you’ve been conducting penetration tests with an external consulting company and you now want to take these in-house to save money. You may not know this, but you can even take the penetration tests mandated by PCI DSS requirement 11.3 internal if you follow a few guidelines (check out this blog post). The calculation for taking penetration testing in-house is easy because you can simply compare the external costs to new internal costs, including licensing costs, training, and hourly costs. When looking at the external costs, bear in mind that you’ll also carry internal hourly costs for the selection and meetings with external consultants in addition to their consulting fees. Rapid7 offers both penetration testing services and products. Especially if you’re conducting frequent internal penetration tests, you may want to check out Metasploit Pro, the commercial Metasploit edition, which enables you to carry out penetration tests more efficiently, testing a larger number of machines at a lower cost. Now Add It All Up If more than one business case applies to you, add up the benefits. Most likely, you can make an even more compelling argument if you can leverage the licensing and training costs for several benefits. Penetration Testing Goals When you start a penetration test, it’s also important to have a clear goal, for example: • Demonstrating security issues in the infrastructure to gain management attention and support for new security programs • Reducing costs of a vulnerability management program • Creating a baseline for a new CIO or CISO/CSO • Deciding where security budget should be spent to optimally protect the infrastructure • Testing response mechanisms of IDS, IPS, and DLP systems • Complying with regulations such as PCI DSS
  • 6. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Summary In the same way that you should get a regular health check to live responsibly, penetration testing should become a best practice for responsible companies. Metasploit is the leading solution for penetration testing – with more than a million downloads each year. Testing your infrastructure’s security level with Metasploit is as close to simulating a realistic attack as you will get. With Metasploit Pro, you not only reduce the effort, and therefore cost to carry out a penetration test, but you’ll also be able to scale penetration tests much easier to larger networks. Metasploit Pro offers team collaboration with consolidated reporting, supporting more than 50,000 hosts and 1,000 sessions at a time. It integrates with Nexpose and other vulnerability scanners so you can take your vulnerability management program to the next level. To get your free trial of Metasploit Pro, go to http://www.rapid7.com/downloads/metasploit.jsp. About Metasploit A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world’s largest, public collection of quality-assured exploits. To learn more about Metasploit or for a free trial, visit www.rapid7.com/metasploit. About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7’s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company’s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7. com.