Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Heorot.net.  Understand the need for a PenTest Methodology  Identify the most-used methodologies  Understand Advantages and Limitations.

Published byArmando Hare Modified over 9 years ago

Similar presentations

Presentation on theme: "Presented by Heorot.net.  Understand the need for a PenTest Methodology  Identify the most-used methodologies  Understand Advantages and Limitations."— Presentation transcript:

1 Presented by Heorot.net

2  Understand the need for a PenTest Methodology  Identify the most-used methodologies  Understand Advantages and Limitations of the OSSTMM  Identify structure of the OSSTMM for Engineers and Managers

3  Use the templates available in the OSSTMM  Modify the OSSTMM templates and test requirements to match your individual need

4  “The objective of this manual is to create one accepted method for performing a thorough security test” – OSSTMM  OSSTMM = Project Management  “Collection of processes and knowledge areas generally accepted as best practice” - PMBOK

5  Phases within a Project Initiating Planning Executing Monitoring and Controlling Closing  Processes within a Project Inputs (documents, plans, designs, etc.) Tools and Techniques (mechanisms applied to inputs) Outputs (documents, products, etc.)

6  Nine Knowledge Areas within a Project Project Integration Management Project Scope Management Project Time Management Project Cost Management Project Quality Management Project Human Resource Management Project Communications Management Project Risk Management Project Procurement Management

7  Project Integration Management Describes the process required to ensure that the various elements of the project are properly coordinated. It consists of: ○ project plan development ○ project plan execution ○ integrated change control

8  Project Scope Management Describes the process required to ensure that the project includes all the work required to complete the project successfully. It consists of: ○ initiation ○ scope planning ○ scope definition ○ scope verification ○ scope change control

9  Project Time Management describes the process required to ensure timely completion of the project. It consists of: ○ activity definition ○ activity sequencing ○ activity duration estimating ○ schedule development ○ schedule control

10  Project Cost Management Describes the process required to ensure that the project is completed within the approved budget. It consists of: ○ resource planning ○ cost estimating ○ cost budgeting ○ cost control

11  Project Quality Management Describes the process required to ensure that the project will satisfy the needs for which it was undertaken, It consists of: ○ quality planning ○ quality assurance ○ quality control

12  Project Human Resource Management Describes the process required to make the most effective use of the people involved with the project. It consists of: ○ organizational planning ○ staff acquisition ○ team development

13  Project Communications Management Describes the process required to ensure timely and appropriate generation, collection, dissemination, storage and ultimate disposition of project information. It consists of: ○ communications planning ○ information distribution ○ performance reporting ○ administrative closure

14  Project Risk Management Describes the process required to ensure that the various elements of the project are properly coordinated. It consists of: ○ project plan development ○ project plan execution ○ integrated change control

15  Project Procurement Management Describes the processes required to acquire goods and services from outside the performing organization. It consists of: ○ procurement planning ○ solicitation planning ○ solicitation ○ source selection ○ contract administration ○ contract closeout

16  How do PenTest Methodologies fit within Project Management? Very poorly, but they are trying OSSTMM ○ Rules Of Engagement (2 pages in length) Sales and Marketing (Cost?) Assessment / Estimate Delivery (Time) Contracts and Negotiations (Procurement/Cost) Scope Definition (Scope (barely)) Test Plan (not a Knowledge Area – process) Test Process (not a Knowledge Area – process) Reporting (Communications)

17  So… when does any work get done? Work Breakdown Structure (WBS) ○ Created during Scope Management ○ The 100% Rule captures all deliverables – internal, external, interim – in terms of the work to be completed ○ It is not an exhaustive list of work ○ Outcome-oriented and not prescriptive of methods

18  How PenTest Methodologies succeed as a WBS Mutually exclusive elements ○ Each step within a PenTest Methodology Builds on the next without repeating effort Planned outcomes, not planned actions ○ OSSTMM provides high-level objectives ○ OSSTMM does not dictate methods

19  How PenTest Methodologies fail as a WBS No heirarchy (Decomposition) No progressive elaboration of “Terminal Element”: ○ associated work statement ○ specifications ○ scheduled milestones ○ start and completion dates ○ budgets

20  Does this mean a PenTest Methodology is worthless? No!

21  OSSTMM (Open Source Security Testing Methodology Manual ) ○ “peer-reviewed methodology for performing security tests and metrics” ○ http://www.isecom.org/osstmm/  ISSAF ( Information Systems Security Assessment Framework) ○ “seeks to integrate the following management tools and internal control checklists” ○ http://www.oissg.org/issaf  NIST (National Institute of Standards and Technology)  PMBOK (Project Management Body of Knowledge)

22  ISSAF ○ http://www.oissg.org/issaf  OSSTMM ○ http://www.isecom.org/osstmm/  NIST SP 800-42 ○ http://csrc.nist.gov/publications/PubsSPs.html Heorot.net

23  ISSAF Peer-Reviewed Contains two separate documents ○ Management (ISSAF0.2.1A)‏ ○ Penetration Testing (ISSAF0.2.1B)‏ Checklists for Auditing / Hardening Systems Tool-Centric Heorot.net

24  ISSAF Advantages ○ Does not assume previous knowledge ○ Provides examples of pentest tool use ○ “In the weeds” Disadvantages ○ Out of date quickly ○ Pentest tool examples are not extensive ○ Last update: May 2006 Heorot.net

25  OSSTMM Peer-Reviewed Most popular methodology Assessments are discussed at a high-level Includes unique technology (RFID, Infrared)‏ Extensive templates Heorot.net

26  OSSTMM Advantages ○ More flexibility for Pentesters ○ Frequent updates Disadvantages ○ Steeper learning curve Tool and OS knowledge necessary beforehand ○ Latest version requires paid subscription Heorot.net

27  NIST SP 800-42 Federal Publication Least comprehensive methodology Tools-oriented NIST publications rarely get updated If you can't use anything else, at least use something Heorot.net

28  OSSTMM Current Version: 2.2 ○ New release arriving soon: 3.0 The more popular methodology ○ Flexibility for the penetration tester ○ Much more broad in scope ○ Easier to modify to meet your organizational needs Heorot.net

29  Sections Section A – Information Security Section B – Process Security *Section C – Internet Technology Security Section D – Communications Security Section E – Wireless Security Section F – Physical Security Heorot.net

30  Sections Modules ○ Each section contains 1 or more module ○ Example: Section D – Communications Security -PBX Testing -2. Voicemail Testing -3. FAX Review -4. Modem Testing Heorot.net

31  Sections Modules ○ Description of the Module ○ Expected Results ○ Tasks Additionally (sometimes) ○ Report Templates Heorot.net

32  For Managers and Project Managers Document Scope Compliance Rules of Engagement Process Security Map Risk Assessment Security Metrics Heorot.net

33  Understand the need for a PenTest Methodology  Identify the most-used methodologies  Understand Advantages and Limitations of the OSSTMM  Identify structure of the OSSTMM for Engineers and Managers

Download ppt "Presented by Heorot.net.  Understand the need for a PenTest Methodology  Identify the most-used methodologies  Understand Advantages and Limitations."

Similar presentations

PROJECT MANAGEMENT BASICS

PROJECT MANAGEMENT BASICS
Successful Project Management Justice, E-Government, & the Internet June 28, 2000 – Dallas, Texas Lawrence P. Webster.

Successful Project Management Justice, E-Government, & the Internet June 28, 2000 – Dallas, Texas Lawrence P. Webster.
Software Quality Assurance Plan

Software Quality Assurance Plan
Module 2 – PenTest Overview

Module 2 – PenTest Overview
Project Change Management

Project Change Management
A framework for describing IT Project Management Processes and Tool Set Features Enterprise Project Management Framework.

A framework for describing IT Project Management Processes and Tool Set Features Enterprise Project Management Framework.
Project Integration Management Sections of this presentation were adapted from A Guide to the Project Management Body of Knowledge 4 th Edition, Project.

Project Integration Management Sections of this presentation were adapted from A Guide to the Project Management Body of Knowledge 4 th Edition, Project.
CS-413 1 Integration Management (Part 6) Bilgisayar Mühendisliği Bölümü – Bilkent Üniversitesi – Fall 2009 Dr.Çağatay ÜNDEĞER Instructor Bilkent University,

CS Integration Management (Part 6) Bilgisayar Mühendisliği Bölümü – Bilkent Üniversitesi – Fall 2009 Dr.Çağatay ÜNDEĞER Instructor Bilkent University,
Successful Project Management Justice, E-Government, & the Internet June 28, 2000 – Dallas, Texas Lawrence P. Webster.

Successful Project Management Justice, E-Government, & the Internet June 28, 2000 – Dallas, Texas Lawrence P. Webster.
Project Management Session 7

Project Management Session 7
Project Management based on the Project Management book of knowledge Risk Identify, analyse and respond to risks Resources Make most effective use of human.

Project Management based on the Project Management book of knowledge Risk Identify, analyse and respond to risks Resources Make most effective use of human.
The 9 Things in the PMBOK 19-Nov-08. The PMBOK “Project Management Body of Knowledge” –sum of knowledge within the profession of project management –used.

The 9 Things in the PMBOK 19-Nov-08. The PMBOK “Project Management Body of Knowledge” –sum of knowledge within the profession of project management –used.
© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.
Project Execution.

Project Execution.
Project Management Body of Knowledge PMBOK

Project Management Body of Knowledge PMBOK
The Project Management Body of Knowledge (PMBOK)

The Project Management Body of Knowledge (PMBOK)
Project management INTRODUCTION. Information Technology Project Management, Fourth Edition 2 IT projects have a terrible track record. A 1995 Standish.

Project management INTRODUCTION. Information Technology Project Management, Fourth Edition 2 IT projects have a terrible track record. A 1995 Standish.
Project Management Framework. PMBOK ® Guide, Third Edition.

Project Management Framework. PMBOK ® Guide, Third Edition.
PRESENTED BY TRUST THOMAS EROMOSELE STUDENT NO: 125385.

PRESENTED BY TRUST THOMAS EROMOSELE STUDENT NO:
Project Management Lecture 5+6 MS Saba Sahar.

Project Management Lecture 5+6 MS Saba Sahar.

Similar presentations

Ads by Google