Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Penetration testing scope/outline

from [robert] Network Security [Permanent Link]
Subject: Re: Penetration testing scope/outline
Date: Wed, 6 Oct 2004 07:13:36 -0700 
Anders Thulin(Anders.Thulin@tietoenator.com)@Wed, Oct 06, 2004 at 08:34:44AM 
+0200:

  The book "Hack I.T." by Klevinsky, Laliberte and Gupta (Addison-Wesley,
2002) is the best place I know to start. It does not give the latest
hacks, but it will give you a good overview of the job, both as to
contents, and as to administration.

  For some of the tricks of the trade, try the "Hacking Exposed" series
of books (Osborne/McGraw-Hill) except perhaps the J2EE & Java volume.
Chris McNab's 'Network Security Assessment' (O'Reilly, 2004) is also useful.


Not to start a pissing contest, but after reading those books
thoroughly, I now feel more stupid for the time wasted.  The "Exposed"
series is some of the worst fluff in the industry.  so1o is also known
for having his own systems compromised by 31337 hax0rs and his own share
of site defacement.  A good lead to follow for sure :).

In the book "The art of Exploitation", by Jon Erickson, Jon actually
does a decent job in explaining what is happening during the exploit. 
Understanding what you're doing is more important than knowing how to
run tools.  Those other books are too much "Hey, I'm a systems admin and
I need to learn how to run some tools, and I have no desire to actually
know what I'm doing.".


  I don't know of any good online material.  The OSSTMM is not a
pen-test method, though you may be able to get useful ideas from it
once you know what you are looking for.


The OSSTMM is a fact based security validation test.  The OSSTMM
framework provides for consistent, repeatable, methodical, quantifiable
results.  It also provides a more meaningful and less subjective
language for describing the results from the test.

Our industry will do well to realize that penetration is no longer the
goal :).  Breaking in is the easy part.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033

------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat

When business losses are measured in seconds, Internet threats must be stopped 
before they impact your network. To learn how Internet Security Systems keeps 
organizations ahead of the threat with preemptive intrusion prevention, 
download the new whitepaper, Defining the Rules of Preemptive Protection, and 
end your reliance on reactive security technology. 

http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Zaurus audit tools, bianco
Next by Date:  Re: Pentesting 3COM, robert
Previous by Thread:  Re: Penetration testing scope/outline, Anders Thulin
Next by Thread:  RE: Penetration testing scope/outline, Chuck Fullerton
Indexes:  [Date] [Thread] [Top] [All Lists]