How to plan a Penetration Test
CISA Quick Tips 08-1507
When an IS Auditor work as a hacker? This is a common misconception that hackers are basicaly bad guys but believe the are social and ethical in nature and bad guys are basically crackers.
An IS auditor while doing a network penetration testing works like a hacker.Although hackers may be differentiated from Penetration Tester but here we are assuming that both are same.
Penetration Tests is very important as it leads to the modification/adoption of policies related to Information System. Vulnerabilities detection may lead to a stronger system.Proper planning of Penetration testing is even more important.
Before going for a Pen Test(short of penetration Testing), an auditor should decide many things.
I shall try to discuss few of them here.
1. Source of Penetration Testing
Based on the Management's requirement the auditor/ Testing Team should decide the source from which penetration testing will be done.for example if it is a web server penetration which is available to outside world.External penetration is desired. Internal or Peripheral penetration is also good way in many cases.
2. Destination of Penetration Testing.
What part of the network will be covered.Which subnet will be covered. Range of Host/IP address/MAC address details should be finalized and ready prior to Penetration testing
3. Tools & Methodology
What tools and methods will be suitable and used for Pen Test should be finalized.
4. Timing
Timing of penetration testing is very important.Some penetration test is done during business hours when system use is more but most of the financial Network Pen Test is being done during non business hour or late in the night when the number of transcation(s) is less.
5. Presence of vendors
Not only the network and telecommunication but the application vendor, system vendor,and aother related vendor's qualified representative should be present at the site or should be available for the service.I have seen non presensce of application vendor has caused the greater downtime of the faulty system.
6.Prioritized Contact list
Although management's representative should be present at the site but the prioritized list of representaives from all concerned group should be ready before the test.
7. Backup System
Ideally the backup of network facility,application, database,telecommunication facility should be ready for the extreme condition.
8.Intimation
If this is not a secret pen test, all concerned people as per the policy of the organization should be intimated well in advance.In the case of secret pen test only the authorized people should be intimated.
9. Reports & Reporting formats.
Reports and reporting format should be finalized in advance.
All of the above depent upon following factors:
.
a. The scope of audit/penetration testing
b. Nature and Type of Pen test
c. The platform of the setup
CISA Type Question 08-1507
Which of the following is the first thing that an Penetration tester/IS Auditor will request for, after receiving scope of audit?
1. Network Map of the organization
2. Details of all the employee of the organization
3. details of the management of the organization
4. Application Service provider detail
Answer to CISA Type Question 08-1407
The exception report ideally should be available to few people only based on the policy of the organization. So, the correct answer is 1. Exception Report is available only to few people in the organization. Rest all are the thing of major concerns
7 comments:
What are different phase of Penetration testing and which phase is most important?
Miki
Different Phazes include
1. Understanding/ Gathering the information abut the destination from the owners if possible.
2. Gather information on public systems like internet.
3. Scan for Vulnerabilities.
4. Eliminate the Flase positives.
5. Assess which vulnerability is more vulnerable and which could cause more destruction.
6. Gather resources to exploit vulnerability identified in Step 5.
7. Attack the systems.
8. Collect the raw data n eliminate the un needed data.
9. Discuss n Report to owners.
These are in brief the steps involved.
Thanks
Dips
Yes I do agree with Mr. Deepak.
I shall summarise the phases of Penetration Testing as below:
1. Information gathering (Both from external and internal source)
2. Vulnerability Space definition
3. Vulnerability Impact analysis
4. Planning and Method Selection
5. Actual attack
6.Results and Analysis
7. Reporting
8. Follow up
This will be difficult for me to choose the most important step.
Each steps are equally important.
Importance may vary according to scope and nature of Pen Test.
The two most important parts of managing a penetration test are the scope and the reporting. If either are wrong then the entire exercise is flawed.
The scope definition is key to a successful test. Nobody wants to test the wrong systems or systems that don't form part of the target of evaluation. A flawed scope can skew test results, certainly when it comes to summarising issues.
The reporting is key to a good penetration test. A bad report sits on a shelf. A good penetration test report explains things in terms management can understand, provides practical recommendations and helps teams create and implement action plans based on the output.
The question may be irrelevant to the post. It's about an ethic issue. A member of the auditee staff offers to loan you an unauthorized copy of software that you need for a short time.
How could I deal with such a situation? Will the auditee will usually get amnesty for turning in the auditor or discrediting the auditor?
Answer is your self judgment.
As an Auditor Community we should always discourage the use of illegal media and manuals.
I have found so many important point about the penetration testing, it has given in a very simplest way. Thanks for sharing this informative post.
Post a Comment