Ola:

I am working on adapting a Hacker Methodology for pentetration testing for IT Security Audits. This will provide the framework for and IT Pentration Test for on internal audits. I wanted to post this and see if anyone had input on it. I have already started filling in more detail within each step of the framework, however, before I get to far, I like I stated previously, would like to see if there is any feedback on this:

1. Footprint
2. Scan
3. Enumerate
4. Penetrate
5. Escalate
6. Pillage (perhaps Harvest instead?)
7. Get Interactive
8. Expand Influence
9. Cleanup
10. Report

Source: Foundstone(R) - except the Report step and any comments in parens.

Also - for each step, I will include (in our internal plan) the OS/OE our organization supports and the specifics for each. I was also going to include from SANs something I learned about penetration testing general methodologies for security audits:

1. Scanning tools
2. Interviews
3. Time in front of the console(s) with the SA 'driving'

I am also going to be including at the top and repeat it through the checklist, how important it is to ensure all pen testers adhere to their ethics and integrity and mention the organization's business conduct policy.

Thoughts? I can also expand more on the 10 stepper above if needed.

In advance -

Gracias.