Need to write an audit checklist for penentration testing...
Results 1 to 5 of 5

Thread: Need to write an audit checklist for penentration testing...

  1. #1
    Senior Member
    Join Date
    Jan 2005
    Posts
    100

    Need to write an audit checklist for penentration testing...

    Hello,

    Part of my work includes penetration testing. While I know there are methodologies out there already, I wanted to base my audit checklist off of a hacker methodology (specifically one from Foundstone) and for that I wanted to post that methodology here and then ask for comments about how to take that hacker methodology and turn that into an audit checklist - like including what to report back to the client, what, if anything should be harvested as evidence and the like.

    Before I do that however, I wanted to get a general feel from the community in general about doing something like that so that I would not get negged from here to Jupiter, well at least negged to Mars.

    Thanks in advance for your insight on this.
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    If your information is useful and not just another 1/2 baked "tutorial" I'm sure it will be fine.
    Oh, avoid dipshit hacker speak as a bonus... Be sure to use real words..

    Posting a small example of content you are worried about might be helpful to those who care to comment..

  3. #3
    Senior Member
    Join Date
    Jan 2005
    Posts
    100
    Ok. Not looking to post a tutorial, rather a checklist for something I want to deploy for myself and other IT auditors. I was thinking that trying to follow a type of hacker methodology might work best to try and show our auditees what possible risks they are exposing our company to. I would have the methodology and then within each step of the methodology, the controls to look for in each OS we support. Before posting the whole thing, this is the thought I had:

    Example of adapting a hacker methodology to an IT audit checklist.

    Note that step 1A will be taken care through a survey we send to the auditee - meaning they know we are coming, which we want:

    0. OS/OE to include: RH Linux, WINNT, W2K, W2K3
    1. Footprint
    A. Site contacts, server/workstation, ip ranges, domains (if applicable). Check computer survey
    B. Review auditee's HTML, if applicable.
    B. Review HTML for additional information, if applicable
    C. Check public sites for information about our company(?)
    (1) Google ( http://www.google.com )
    (2) Netcraft ( http://www.netcraft.com )
    (3) Big Brother ( http://www.bb4.com )
    D. Check to see if reverse dns lookup is enabled - does it need to be?
    (1) Explanation on how to check for zone transfers...
    E. Check to see


    ...

    Actually - before I go on, I think I cannot use this type of methodology for an internal audit. I am going back to the drawing board as I just remembered some SANS training I had as well, and I will combine the above Foundstone ideas with the SANS and just post for comments and see what shakes loose.

    Thanks anyway.
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi KuiXing-2005

    I hate to volunteer others' services but try sending a PM to catch and cacosapo.............tell them I suggested it

    There are several others but those are the ones I would start with, as they are both professional consultants and will certainly be able to point you in the right direction.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Senior Member
    Join Date
    Jan 2005
    Posts
    100
    Thanks much nihil! Will do.

    Also - part of what I was going to include in my checklist (and I will also run this by catch and cacosapo) the following from SANS:

    When conducting an IT audit don't rely solely on automated tools, rather employ the following strategy:

    1. Automated scanning tools
    2. Time at the console with the administrator(s)
    3. Interviews
    Now SANS states that with 2 and 3 above, you would get more information than just using the scanning tools alone. So far in my experience, I would say that is possible, but it depends on 1) interviews: your interview style and the willingness/comfort level of the interviewee 2) console: know what you are looking for.

    Anywho - thanks again.
    \"An ant may well destroy a whole dam.\" - Chinese Proverb
    \"Not only can water float a craft, it can sink it also.\" - Chinese Proverb

    http://www.AntiOnline.com/sig.php?imageid=764

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides