pentest

1. Module 2 – PenTest
Overview
 Penetration Testing Methodologies
 Penetration Test Management (ISSAF)
 PenTest Project Management
 Engineer Assessment Effort
Heorot.net

2. Penetration Testing
Methodologies
 ISSAF
○ http://www.oissg.org/issaf
 OSSTMM
○ http://www.isecom.org/osstmm/
 NIST SP 800-42
○ http://csrc.nist.gov/publications/PubsSPs.html
Heorot.net

3. Penetration Testing
Methodologies
 ISSAF
 Peer-Reviewed
 Contains two separate documents
○ Management (ISSAF0.2.1A)
○ Penetration Testing (ISSAF0.2.1B)
 Checklists for Auditing / Hardening Systems
 Tool-Centric
Heorot.net

4. Penetration Testing
Methodologies
 ISSAF
 Advantages
○ Does not assume previous knowledge
○ Provides examples of pentest tool use
○ “In the weeds”
 Disadvantages
○ Out of date quickly
○ Pentest tool examples are not extensive
○ Last update: May 2006
Heorot.net

5. Penetration Testing
Methodologies
 OSSTMM
 Peer-Reviewed
 Most popular methodology
 Assessments are discussed at a high-level
 Includes unique technology (RFID, Infrared)
 Extensive templates
Heorot.net

6. Penetration Testing
Methodologies
 OSSTMM
 Advantages
○ More flexibility for Pentesters
○ Frequent updates
 Disadvantages
○ Steeper learning curve
 Tool and OS knowledge necessary beforehand
○ Latest version requires paid subscription
Heorot.net

7. Penetration Testing
Methodologies
 NIST SP 800-42
 Federal Publication
 Least comprehensive methodology
 Tools-oriented
 NIST publications rarely get updated
 If you can't use anything else, at least use
something
Heorot.net

8. Penetration Test
Management
 ISSAF
 Phase I – Planning
 Phase II – Assessment
 Phase III – Treatment
 Phase IV – Accreditation
 Phase V – Maintenance
Use a Project Manager
Heorot.net

9. PenTest Project Management
 Phase I – Planning
 Information Gathering
 Project Chartering
 Resource Identification
 Budgeting
 Bidding & Estimating (Called “Cash Flow”)
 Work Breakdown Structure (WBS)
 Project Kick-Off
Heorot.net

10. PenTest Project Management
 Phase II – Assessment
 Inherent Risk Assessment
 Controls Assessment
○ Legal & Regulatory Compliance
○ Information Security Policy
○ Information Security Organization and Mgmt.
○ Enterprise Information Systems Security and
Controls  (Penetration Testing)
○ Security Operations Management
○ Business Continuity Management
Heorot.net

11. PenTest Project Management
 Phase III – Treatment
 See Risk Treatment Plan
 Phase IV – Accreditation
 Context Establishment
 Evaluation
 Reporting
 Certification
 Phase V – Maintenance
Heorot.net

12. PenTest Project Management
 Phase II – Assessment
 Inherent Risk Assessment
 Controls Assessment
○ Legal & Regulatory Compliance
○ Information Security Policy
○ ...etc.
Each assessment is broken down further...
Heorot.net

13. PenTest Project Management
 Phase II – Assessment
 Project Management Documents
○ Engagement Scope
○ Communications Plan
○ Issue Escalation Plan
○ Scheduling
○ Responsibility Matrix
○ Deliverables
Heorot.net

14. Engineer Assessment Effort
 Phase II – Assessment
 Scheduling (Engineering Effort)
○ Information Gathering
○ Network Mapping
○ Vulnerability Identification
○ Penetration
○ Gaining Access & Privilege Escalation
○ Enumerating Further
○ Compromise Remote Users/Sites
○ Maintaining Access
○ Cover the Tracks
Heorot.net

15. Module 2 – Conclusion
 Penetration Testing Methodologies
 Penetration Test Management (ISSAF)
 PenTest Project Management
 Engineer Assessment Effort
Heorot.net