There is method in the madness...
Submitted by Si on Mon, 23/08/2004 - 12:33.
penetration testing
Time, it seems, is an ever decreasing commodity in my day ! So I'm afraid that this is going to be short, and I'm going to try for it to be to the point ...
Being able to find a vulnerability in a system is only half (if even that much) of being a good tester in a commercial environment. If you can do only this, you are a hacker, not a PenTester. To be commercially viable, not to mention professional - you should follow a defined methodology. This does a number of things for you:
1) It gives you the air of credibility that distinguishes you from all the other testers out there.
2) Using a methodology allows you to ensure that you overlook nothing.
3) It allows for easy production of reports.
4) It allows for reproduceable results.
There are a few methodologies available, ranging in complexity and applicability. FInding them is a search that you can carry out for yourself on the web. But the one that I use, believe in and evangelise (not only because it is free) is the Open Source Security Testing Methodoloy from the Institute for Security and Open Methodologies (or for the rest of us the OSSTM from ISECOM). Release 3 is due out the end of this month, and the previews that I have seen point to it becoming even more comprehensive than it was before.
The OSSTMM is split down into sections covering all aspects of Information Security. It provides guidance and rules of thumb about the time that is neccessary to perform a network audit, risk assement and resonable "rules of engagement" when working with clients. It then goes on to cover six major areas of InfoSec
1) Publicly available information
Checking for information "leakage", and making the most of what is available.
2) Process Security
Checking out the internal processes that are in place - this covers social engineering and other similar areas.
3) Internet
This is the standard ethical hacking area, covering all that you would expect.
4) Communications
PBX and voicemail security issues - "phreaking" really ...
5) Wireless
The realatively new area of Wireless security - 802.11 and more !
6) Physical Security
The often overlooked (by so many companies) area of making sure that you can't steal the flaming machines !
The OSSTMM also includes templates for your testing, which allow you to produce a very high standard of work missing nothing out at all. Making use of all of the resources that ISECOM provide will create a fantasticly comprehensive PenTest that can be held to be the best that can be done. Just to prove this ISECOM offer a certification service, where, provided that you have done all that you should, you can have your test certified by them (all professionals) to give your client that additional peace of mind.
The OSSTMM is available from ISECOM. Please consider supporting ISECOM in some way, it is an open source initiative, and is a not-for-profit organisation - so to keep going they rely on help from volunteers and charitable companies.
If you want to be certified in the use of the OSSTMM, ISECOM is running a training course to become a OSSTMM Professional Security Analyst (OPSA) or an OSSTMM Professional Security Tester (OPST) at their training camp in Las Vegas in October (I'll be lecturing there, so if you do come, please come and say "Hi"). I went to the one in Barcelona this March, and it was well worth the trip - you get a much greater understanding of the OSSTMM and you can hassle Pete Herzog about exactly what he means by something - try doing that with any of the commercial implementations !
Being able to find a vulnerability in a system is only half (if even that much) of being a good tester in a commercial environment. If you can do only this, you are a hacker, not a PenTester. To be commercially viable, not to mention professional - you should follow a defined methodology. This does a number of things for you:
1) It gives you the air of credibility that distinguishes you from all the other testers out there.
2) Using a methodology allows you to ensure that you overlook nothing.
3) It allows for easy production of reports.
4) It allows for reproduceable results.
There are a few methodologies available, ranging in complexity and applicability. FInding them is a search that you can carry out for yourself on the web. But the one that I use, believe in and evangelise (not only because it is free) is the Open Source Security Testing Methodoloy from the Institute for Security and Open Methodologies (or for the rest of us the OSSTM from ISECOM). Release 3 is due out the end of this month, and the previews that I have seen point to it becoming even more comprehensive than it was before.
The OSSTMM is split down into sections covering all aspects of Information Security. It provides guidance and rules of thumb about the time that is neccessary to perform a network audit, risk assement and resonable "rules of engagement" when working with clients. It then goes on to cover six major areas of InfoSec
1) Publicly available information
Checking for information "leakage", and making the most of what is available.
2) Process Security
Checking out the internal processes that are in place - this covers social engineering and other similar areas.
3) Internet
This is the standard ethical hacking area, covering all that you would expect.
4) Communications
PBX and voicemail security issues - "phreaking" really ...
5) Wireless
The realatively new area of Wireless security - 802.11 and more !
6) Physical Security
The often overlooked (by so many companies) area of making sure that you can't steal the flaming machines !
The OSSTMM also includes templates for your testing, which allow you to produce a very high standard of work missing nothing out at all. Making use of all of the resources that ISECOM provide will create a fantasticly comprehensive PenTest that can be held to be the best that can be done. Just to prove this ISECOM offer a certification service, where, provided that you have done all that you should, you can have your test certified by them (all professionals) to give your client that additional peace of mind.
The OSSTMM is available from ISECOM. Please consider supporting ISECOM in some way, it is an open source initiative, and is a not-for-profit organisation - so to keep going they rely on help from volunteers and charitable companies.
If you want to be certified in the use of the OSSTMM, ISECOM is running a training course to become a OSSTMM Professional Security Analyst (OPSA) or an OSSTMM Professional Security Tester (OPST) at their training camp in Las Vegas in October (I'll be lecturing there, so if you do come, please come and say "Hi"). I went to the one in Barcelona this March, and it was well worth the trip - you get a much greater understanding of the OSSTMM and you can hassle Pete Herzog about exactly what he means by something - try doing that with any of the commercial implementations !