Results 1 to 5 of 5

Thread: The (A) Hacker Methodology: Apapting it for penetration testing.

  1. #1

    Question The (A) Hacker Methodology: Apapting it for penetration testing.

    Ola:

    I am working on adapting a Hacker Methodology for pentetration testing for IT Security Audits. This will provide the framework for and IT Pentration Test for on internal audits. I wanted to post this and see if anyone had input on it. I have already started filling in more detail within each step of the framework, however, before I get to far, I like I stated previously, would like to see if there is any feedback on this:

    1. Footprint
    2. Scan
    3. Enumerate
    4. Penetrate
    5. Escalate
    6. Pillage (perhaps Harvest instead?)
    7. Get Interactive
    8. Expand Influence
    9. Cleanup
    10. Report

    Source: Foundstone(R) - except the Report step and any comments in parens.

    Also - for each step, I will include (in our internal plan) the OS/OE our organization supports and the specifics for each. I was also going to include from SANs something I learned about penetration testing general methodologies for security audits:

    1. Scanning tools
    2. Interviews
    3. Time in front of the console(s) with the SA 'driving'

    I am also going to be including at the top and repeat it through the checklist, how important it is to ensure all pen testers adhere to their ethics and integrity and mention the organization's business conduct policy.

    Thoughts? I can also expand more on the 10 stepper above if needed.

    In advance -

    Gracias.

  2. #2
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I am also going to be including at the top and repeat it through the checklist, how important it is to ensure all pen testers adhere to their ethics and integrity and mention the organization's business conduct policy.
    If you think that is enough. Most organizations I've worked with have their pen testing tasks broken apart in a manner that no single auditor can gain enough information to compromise the system. Only the director receives the full report, which is generated by at least two project managers depending on the level of security required.

    That aside, I think a hacker methodology is a bad approach. People just think it sounds cool.

    The footprinting, scanning,and enumeration phases should be removed. The pen testing team should be provided with an aggregate map of the entire system. Including operating system and service revs, but firewall rule sets, and system security policy maps.

    This saves significant time and ensures a higher liklihood of penetration since the team can better plan the attack.

    This does not mean that footprinting, scanning, and enumeration shouldn't be done... they should be to ensure that the documented system matches the actual system. But this type of audit should be done more frequently and in an unrelated manner to the pen test.

    cheers,

    catch

  3. #3
    Ola:

    First - thanks for the reply catch. I appreciate the information.

    Next,

    If you think that is enough. Most organizations I've worked with have their pen testing tasks broken apart in a manner that no single auditor can gain enough information to compromise the system. Only the director receives the full report, which is generated by at least two project managers depending on the level of security required.
    Were those organizations and auditors you worked with internal or external auditors - (we are internal)? Also - and I am just trying to understand - but what would project managers be involved on an audit?

    Also,

    That aside, I think a hacker methodology is a bad approach. People just think it sounds cool.
    Just FYI - I and our department are not trying to "sound cool" or anything like that - that is just what I was taught through the class from Foundstone, and although it is a "hacker's methodology" one of the objectives of the class was to conduct pentration assessments and how to address those vulnerabilities.

    The steps you mentioned to remove - good suggestions - I think I will change those steps into on, simply to "Auditee Information Collection" or something like that - as we have the responsibility to get the information via survey and or meeting with the auditee in the first place.

    edit

    Sorry - forgot to post this - it looks like it follow what you were talking about - I am going to read through it more and adapt our strategy from it and your suggestions.

    http://www.sans.org/rr/whitepapers/auditing/67.php

    /edit

    Gracias.

  4. #4
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Were those organizations and auditors you worked with internal or external auditors - (we are internal)? Also - and I am just trying to understand - but what would project managers be involved on an audit?
    It doesn't matter if they are internal or external. No single person at that level should know how to compromise the system, especially on the company's dime.
    Project managers would manage the pen testing project. (seems pretty straightforward when put like that) Basically they ensure that the system administrators, security administrators, auditors, analysts, etc are all on the same page and that everything is delivered on time/on budget.

    Just FYI - I and our department are not trying to "sound cool" or anything like that - that is just what I was taught through the class from Foundstone, and although it is a "hacker's methodology" one of the objectives of the class was to conduct pentration assessments and how to address those vulnerabilities.
    Then it was a marketing gimmick on their part.

    cheers,

    catch

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    As a "renter" of security audits I have a choice:-

    1. I give nothing and pay for the hours of information gathering by the auditor.

    2. I give the basics, let them check them directly and get on with their job.

    Whether the auditor is internal or external there is a cost to the information gathering phase. Done properly and in an organization of reasonable size you add a significant period to the audit. Thus you add significant cost.

    It's very easy for the organization to regularly carry out the information gathering phase, especially from an external point of view, by carrying out the standard passive footprinting techniques that any potential attacker might try on a quarterly basis - Pay special attention to avenues that might lead to social engineering techniques... It has a cost, but the cost is less overall than that of a full blown audit of the same facet.... Hell, a lot of it could be scripted..... I prefer the manual approach, but that's me - it gives me a more "granular" view of my publicly available "assets"....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •