1 / 15

Module 2 – PenTest Overview

Module 2 – PenTest Overview. Penetration Testing Methodologies Penetration Test Management (ISSAF) ‏ PenTest Project Management Engineer Assessment Effort. Penetration Testing Methodologies. ISSAF http://www.oissg.org/issaf OSSTMM http://www.isecom.org/osstmm/ NIST SP 800-42

reeves
Télécharger la présentation

Module 2 – PenTest Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 2 – PenTest Overview • Penetration Testing Methodologies • Penetration Test Management (ISSAF)‏ • PenTest Project Management • Engineer Assessment Effort Heorot.net

  2. Penetration Testing Methodologies • ISSAF • http://www.oissg.org/issaf • OSSTMM • http://www.isecom.org/osstmm/ • NIST SP 800-42 • http://csrc.nist.gov/publications/PubsSPs.html Heorot.net

  3. Penetration Testing Methodologies • ISSAF • Peer-Reviewed • Contains two separate documents • Management (ISSAF0.2.1A)‏ • Penetration Testing (ISSAF0.2.1B)‏ • Checklists for Auditing / Hardening Systems • Tool-Centric Heorot.net

  4. Penetration Testing Methodologies • ISSAF • Advantages • Does not assume previous knowledge • Provides examples of pentest tool use • “In the weeds” • Disadvantages • Out of date quickly • Pentest tool examples are not extensive • Last update: May 2006 Heorot.net

  5. Penetration Testing Methodologies • OSSTMM • Peer-Reviewed • Most popular methodology • Assessments are discussed at a high-level • Includes unique technology (RFID, Infrared)‏ • Extensive templates Heorot.net

  6. Penetration Testing Methodologies • OSSTMM • Advantages • More flexibility for Pentesters • Frequent updates • Disadvantages • Steeper learning curve • Tool and OS knowledge necessary beforehand • Latest version requires paid subscription Heorot.net

  7. Penetration Testing Methodologies • NIST SP 800-42 • Federal Publication • Least comprehensive methodology • Tools-oriented • NIST publications rarely get updated • If you can't use anything else, at least use something Heorot.net

  8. Penetration Test Management • ISSAF • Phase I – Planning • Phase II – Assessment • Phase III – Treatment • Phase IV – Accreditation • Phase V – Maintenance UseaProjectManager Heorot.net

  9. PenTest Project Management • Phase I – Planning • Information Gathering • Project Chartering • Resource Identification • Budgeting • Bidding & Estimating (Called “Cash Flow”)‏ • Work Breakdown Structure (WBS)‏ • Project Kick-Off Heorot.net

  10. PenTest Project Management • Phase II – Assessment • Inherent Risk Assessment • Controls Assessment • Legal & Regulatory Compliance • Information Security Policy • Information Security Organization and Mgmt. • Enterprise Information Systems Security and Controls (Penetration Testing)‏ • Security Operations Management • Business Continuity Management Heorot.net

  11. PenTest Project Management • Phase III – Treatment • See Risk Treatment Plan • Phase IV – Accreditation • Context Establishment • Evaluation • Reporting • Certification • Phase V – Maintenance Heorot.net

  12. PenTest Project Management • Phase II – Assessment • Inherent Risk Assessment • Controls Assessment • Legal & Regulatory Compliance • Information Security Policy • ...etc. Each assessment is broken down further... Heorot.net

  13. PenTest Project Management • Phase II – Assessment • Project Management Documents • Engagement Scope • Communications Plan • Issue Escalation Plan • Scheduling • Responsibility Matrix • Deliverables Heorot.net

  14. Engineer Assessment Effort • Phase II – Assessment • Scheduling (Engineering Effort)‏ • Information Gathering • Network Mapping • Vulnerability Identification • Penetration • Gaining Access & Privilege Escalation • Enumerating Further • Compromise Remote Users/Sites • Maintaining Access • Cover the Tracks Heorot.net

  15. Module 2 – Conclusion • Penetration Testing Methodologies • Penetration Test Management (ISSAF)‏ • PenTest Project Management • Engineer Assessment Effort Heorot.net

More Related