Module 2 - PowerPoint PPT Presentation

About This Presentation
Title:

Module 2

Description:

Title: Module 1 - Introduction Last modified by: Thomas Wilhelm Document presentation format: On-screen Show (4:3) Other titles: Times New Roman MS Gothic Franklin ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 16
Provided by: booksiteS
Category:

less

Transcript and Presenter's Notes

Title: Module 2


1
Module 2 PenTest Overview
  • Penetration Testing Methodologies
  • Penetration Test Management (ISSAF)?
  • PenTest Project Management
  • Engineer Assessment Effort

2
Penetration Testing Methodologies
  • ISSAF
  • http//www.oissg.org/issaf
  • OSSTMM
  • http//www.isecom.org/osstmm/
  • NIST SP 800-42
  • http//csrc.nist.gov/publications/PubsSPs.html

3
Penetration Testing Methodologies
  • ISSAF
  • Peer-Reviewed
  • Contains two separate documents
  • Management (ISSAF0.2.1A)?
  • Penetration Testing (ISSAF0.2.1B)?
  • Checklists for Auditing / Hardening Systems
  • Tool-Centric

4
Penetration Testing Methodologies
  • ISSAF
  • Advantages
  • Does not assume previous knowledge
  • Provides examples of pentest tool use
  • In the weeds
  • Disadvantages
  • Out of date quickly
  • Pentest tool examples are not extensive
  • Last update May 2006

5
Penetration Testing Methodologies
  • OSSTMM
  • Peer-Reviewed
  • Most popular methodology
  • Assessments are discussed at a high-level
  • Includes unique technology (RFID, Infrared)?
  • Extensive templates

6
Penetration Testing Methodologies
  • OSSTMM
  • Advantages
  • More flexibility for Pentesters
  • Frequent updates
  • Disadvantages
  • Steeper learning curve
  • Tool and OS knowledge necessary beforehand
  • Latest version requires paid subscription

7
Penetration Testing Methodologies
  • NIST SP 800-42
  • Federal Publication
  • Least comprehensive methodology
  • Tools-oriented
  • NIST publications rarely get updated
  • If you can't use anything else, at least use
    something

8
Penetration Test Management
  • ISSAF
  • Phase I Planning
  • Phase II Assessment
  • Phase III Treatment
  • Phase IV Accreditation
  • Phase V Maintenance
  • ?Use a Project Manager

9
PenTest Project Management
  • Phase I Planning
  • Information Gathering
  • Project Chartering
  • Resource Identification
  • Budgeting
  • Bidding Estimating (Called Cash Flow)?
  • Work Breakdown Structure (WBS)?
  • Project Kick-Off

10
PenTest Project Management
  • Phase II Assessment
  • Inherent Risk Assessment
  • Controls Assessment
  • Legal Regulatory Compliance
  • Information Security Policy
  • Information Security Organization and Mgmt.
  • Enterprise Information Systems Security and
    Controls ? (Penetration Testing)?
  • Security Operations Management
  • Business Continuity Management

11
PenTest Project Management
  • Phase III Treatment
  • See Risk Treatment Plan
  • Phase IV Accreditation
  • Context Establishment
  • Evaluation
  • Reporting
  • Certification
  • Phase V Maintenance

12
PenTest Project Management
  • Phase II Assessment
  • Inherent Risk Assessment
  • Controls Assessment
  • Legal Regulatory Compliance
  • Information Security Policy
  • ...etc.
  • Each assessment is broken down further...

13
PenTest Project Management
  • Phase II Assessment
  • Project Management Documents
  • Engagement Scope
  • Communications Plan
  • Issue Escalation Plan
  • Scheduling
  • Responsibility Matrix
  • Deliverables

14
Engineer Assessment Effort
  • Phase II Assessment
  • Scheduling (Engineering Effort)?
  • Information Gathering
  • Network Mapping
  • Vulnerability Identification
  • Penetration
  • Gaining Access Privilege Escalation
  • Enumerating Further
  • Compromise Remote Users/Sites
  • Maintaining Access
  • Cover the Tracks

15
Module 2 Conclusion
  • Penetration Testing Methodologies
  • Penetration Test Management (ISSAF)?
  • PenTest Project Management
  • Engineer Assessment Effort
Write a Comment
User Comments (0)
About PowerShow.com