better late than never.... (was Re: Penetration testing scope/outline)
From: Pete Herzog (pete_at_isecom.org)
Date: 10/11/04
- Previous message: Abe Usher: "MonkeyShell: using XML-RPC for access to a remote shell"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Oct 2004 13:03:51 +0200 To: Pen Test <pen-test@securityfocus.com>
Anders and others,
I have asked repeatedly for this kind of criticism to improve the OSSTMM
documentation and this is exactly what I needed over a year ago (albeit
more detail would be better). So better late than never.
It is this kind of discussion that improves the document. Thanks for
your specific comments. It lets me know that I'm on the right track.
And yes, 3.0 does fix the problems you mention.
I am careful with the pen testing / ethical hacking definitions as in
the international business arena, those applied definitions change
greatly. However, I do assure their implementation in the manual.
OSSTMM 3.0 has evolved even more to be a methodology for thorough
security testing and metrics where I focus on factual security metrics
as a whole and allow for the manual to be taken in part for penetration
testing and ethical hacking. I do identify the requirements of such and
explain when a penetration test may be useful, even if I do find the
penetration test to be of business value only under very limited
circumstances. Note to flamers: I did say "business value" and will
clearly explain the reasons for this at the ISESTORM symposium next
Saturday (Oct. 18th) and post them on the ISECOM website upon my return.
I also try to completely withdraw the requirement of experience from
following the test methodology as I find it to be a danger in most
cases. It has been determined that a high level of experience is
necessary for analysis but not for testing because it leads to false
assumptions and unverified results. This has also led me to develop a
more useable methodology where it can even be adapted for non-technical
people requiring access to factual security metrics (already integrated
in that format for the SecurityNOW! tool
http://www.isecom.org/securitymetrics.shtml) and I have seen it has been
integrated into the UnicornScan results (http://www.unicornscan.org).
This is not to say the methodology is not as technical as always.
Actually, it has followed technology quite well. However it just is
more useable since it can be adapted into less technical formats.
Sincerely,
-pete.
-- Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org ------------------------------------------------------------------- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority. ------------------------------------------------------------------------------ Internet Security Systems. - Keeping You Ahead of the Threat When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology. http://www.securityfocus.com/sponsor/ISS_pen-test_041001 -------------------------------------------------------------------------------
- Previous message: Abe Usher: "MonkeyShell: using XML-RPC for access to a remote shell"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
