Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

better late than never.... (was Re: Penetration testing scope/outline)

from [Pete Herzog] Network Security [Permanent Link]
Subject: better late than never.... (was Re: Penetration testing scope/outline)
Date: Mon, 11 Oct 2004 13:03:51 +0200 
Anders and others,

I have asked repeatedly for this kind of criticism to improve the OSSTMM documentation and this is exactly what I needed over a year ago (albeit more detail would be better). So better late than never.

It is this kind of discussion that improves the document. Thanks for your specific comments. It lets me know that I'm on the right track. And yes, 3.0 does fix the problems you mention.

I am careful with the pen testing / ethical hacking definitions as in the international business arena, those applied definitions change greatly. However, I do assure their implementation in the manual. OSSTMM 3.0 has evolved even more to be a methodology for thorough security testing and metrics where I focus on factual security metrics as a whole and allow for the manual to be taken in part for penetration testing and ethical hacking. I do identify the requirements of such and explain when a penetration test may be useful, even if I do find the penetration test to be of business value only under very limited circumstances. Note to flamers: I did say "business value" and will clearly explain the reasons for this at the ISESTORM symposium next Saturday (Oct. 18th) and post them on the ISECOM website upon my return.

I also try to completely withdraw the requirement of experience from following the test methodology as I find it to be a danger in most cases. It has been determined that a high level of experience is necessary for analysis but not for testing because it leads to false assumptions and unverified results. This has also led me to develop a more useable methodology where it can even be adapted for non-technical people requiring access to factual security metrics (already integrated in that format for the SecurityNOW! tool http://www.isecom.org/securitymetrics.shtml) and I have seen it has been integrated into the UnicornScan results (http://www.unicornscan.org). This is not to say the methodology is not as technical as always. Actually, it has followed technology quite well. However it just is more useable since it can be adapted into less technical formats.

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.

------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat

When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology. 

http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • better late than never.... (was Re: Penetration testing scope/outline), Pete Herzog <=
Previous by Date:  RFP's SQL Injection papers, Pete Finnigan
Next by Date:  HTTP Response Splitting, Joxean Koret
Previous by Thread:  RFP's SQL Injection papers, Pete Finnigan
Next by Thread:  HTTP Response Splitting, Joxean Koret
Indexes:  [Date] [Thread] [Top] [All Lists]