RE: Bank pen test

From: Jon Gucinski (Jgucinski@midwestbank.com)
Date: Tue Mar 07 2006 - 16:46:44 EST


There's also another thing to consider when dealing with financial
corporations: regulation. The US Banking sector is one of (if not THE)
most regulated industry on the planet. We're forced to comply with many
regulations, regardless of cost, in order to do business. While some
risks may be left open due to cost, i'd wager that the overwhelming
majority are not. Audit and Compliancy committee's just won't have it,
especially if an outside auditor/pen-test says that its a problem that
has to be fixed.

In terms of media value, its pretty much infinite. A bank or other
financial organization will tend to do whatever it can to avoid any kind
of negative press, especially as it relates to integrity/confidentiality
breaches, as long as the cure wouldn't bankrupt them too.

-Jon

Regards,

>>> "Craig Wright" <cwright@bdosyd.com.au> 3/6/2006 9:42:53 pm >>>

This is a simple and short answer for once. A good risk assessment will
take the impact from adverse publicity (not to state that all risk
assessments are done well).
 
So if the media value is quantified, than this should be a part of the
risk management process.
 
Regards
Craig

        -----Original Message-----
        From: Vaidya [mailto:dnvaidya@rilinfo.net]
        Sent: Tue 7/03/2006 6:31 AM
        To: Craig Wright; mystic33; Noe Espinoza Mancillas;
pen-test@securityfocus.com
        Cc:
        Subject: Re: Bank pen test
        
        
        In some cases I have experienced that though the impact (cost)
of
        vulnerability after it's exploitation is less than the cost of
        prevention/remedy or the probability of getting the
vulnerability exploited
        is very less still financial institutes like banks or the people
who deal in
        online trading or share market peoples decide to opt the
prevention because
        their major business works on faith of customer. A single
breakout in media
        about vulnerability exploitation by the internal employee or
from internal
        network or from external attacker too can create a doubt about
whole
        investment the bank or equal institute has made to secure it's
"e" enabled
        business.
        

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is
confidential. If you are not the intended recipient, you must not use or
disclose the information. If you have received this email in error,
please inform us promptly by reply email or by telephoning +61 2 9286
5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender.
You may not rely on this message as advice unless it has been
electronically signed by a Partner of BDO or it is subsequently
confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.

NOTICE: This electronic mail message and any files transmitted with
it are intended exclusively for the individual or entity to which it
is addressed. The message, together with any attachment, may contain
confidential and/or privileged information. Any unauthorized review,
use, printing, saving, copying, disclosure or distribution is
strictly prohibited. If you have received this message in error,
please immediately advise the sender by reply email and delete all
copies.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:38 EDT