E-Book, Englisch, 389 Seiten
Tiller CISO's Guide to Penetration Testing
Erscheinungsjahr 2013
ISBN: 978-1-4398-8028-9
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
A Framework to Plan, Manage, and Maximize Benefits
E-Book, Englisch, 389 Seiten
ISBN: 978-1-4398-8028-9
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits details the methodologies, framework, and unwritten conventions penetration tests should cover to provide the most value to your organization and your customers. Discussing the process from both a consultative and technical perspective, it provides an overview of the common tools and exploits used by attackers along with the rationale for why they are used.
From the first meeting to accepting the deliverables and knowing what to do with the results, James Tiller explains what to expect from all phases of the testing life cycle. He describes how to set test expectations and how to identify a good test from a bad one. He introduces the business characteristics of testing, the imposed and inherent limitations, and describes how to deal with those limitations.
The book outlines a framework for protecting confidential information and security professionals during testing. It covers social engineering and explains how to tune the plethora of options to best use this investigative tool within your own environment.
Ideal for senior security management and anyone else responsible for ensuring a sound security posture, this reference depicts a wide range of possible attack scenarios. It illustrates the complete cycle of attack from the hacker’s perspective and presents a comprehensive framework to help you meet the objectives of penetration testing—including deliverables and the final report.
Zielgruppe
Information security management, staff, and consultants.
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Getting Started
Audience
How to Use This Book
Setting the Stage
Perspectives of Value
Where Does Penetration Testing Fit?
What Constitutes a Success?
A Quick Look Back
Hacking Impacts Resources Information Time Brand and Reputation
The Hacker Types of Hackers Script Kiddies Independent Hackers Organized Hackers
Sociology
Motives
The Framework
Planning the Test
Sound Operations
Reconnaissance
Enumeration
Vulnerability Analysis
Exploitation
Final Analysis
Deliverable
Integration
The Business Perspective
Business Objectives
Previous Test Results Building a Roadmap
Business Challenges Security Drivers Increasing Network Complexity Ensuring Corporate Value Lower Management Investment Business Consolidation Mobile Workforce Government Regulations and Standards Why Have the Test? Proof of Issue Limited Staffing and Capability Third-Party Perspective
It Is All about Perspective Overall Expectations How Deep Is Deep Enough? One-Hole Wonder Today’s Hole
Planning for a Controlled Attack
Inherent Limitations Time Money Determination Legal Restrictions Ethics
Imposed Limitations
Timing Is Everything
Attack Type
Source Point
Required Knowledge Timing of Information Internet Web Authenticated Application Service Direct Access
Multiphased Attacks Parallel Shared Parallel Isolated Series Shared Series Isolated Value of Multiphase Testing Employing Multiphased Tests
Teaming and Attack Structure Red Team Vulnerability Explanation Testing Focus Mitigation White Team Piggyback Attacks Reverse Impact Detection Blue Team Incident Response Vulnerability Impact Counterattack Team Communications
Engagement Planner
The Right Security Consultant Technologists Architects Ethics
The Tester
Logistics Agreements Downtime Issues System and Data Integrity Get Out of Jail Free Card Intermediates Partners Customers Service Providers Law Enforcement
Preparing for a Hack
Technical Preparation Attacking System Operating System Tools Data Management and Protection Attacking Network Attacking Network Architecture
Managing the Engagement Project Initiation Identify Sponsors Building the Teams Schedule and Milestones Tracking Escalation Customer Approval
During the Project Status Reports Scope Management Deliverable Review
Concluding the Engagement
Reconnaissance
Social Engineering E-Mail Value Controlling Depth Help Desk Fraud Value Controlling Depth Prowling and Surfing Internal Relations and Collaboration Corporate Identity Assumption
Physical Security Observation Dumpster Diving Theft
Internet Reconnaissance General Information Web Sites Social Networking
Enumeration
Enumeration Techniques Connection Scanning SYN Scanning FIN Scanning Fragment Scanning TCP Reverse IDENT Scanning FTP Bounce Scanning UDP Scanning ACK Scanning
Soft Objective
Looking Around or Attack?
Elements of Enumeration Account Data Architecture Operating Systems Wireless Networks Applications Custom Applications
Preparing for the Next Phase
Vulnerability Analysis
Weighing the Vulnerability
Source Points Obtained Data The Internet Vendors Alerts Service Packs
Reporting Dilemma
Exploitation
Intuitive Testing
Evasion
Threads and Groups Threads Groups
Operating Systems Windows UNIX
Password Crackers
Rootkits
Applications Web Applications Distributed Applications Customer Applications
Wardialing
Network Perimeter Network Nodes
Services and Areas of Concern Services Services Started by Default Windows Ports Null Connection Remote Procedure Call (RPC) Simple Network Management Protocol (SNMP) Berkeley Internet Name Domain (BIND) Common Gateway Interface (CGI) Cleartext Services Network File System (NFS) Domain Name Service (DNS) File and Directory Permissions FTP and Telnet Internet Control Message Protocol (ICMP) IMAP and POP Network Architecture
The Deliverable
Final Analysis
Potential Analysis
The Document Executive Summary Present Findings Planning and Operations Vulnerability Ranking Process Mapping Recommendations Exceptions and Limitations Final Analysis Conclusion
Overall Structure
Aligning Findings Technical Measurement Severity Exposure Business Measurement Cost Risk
Presentation Remedial Tactical Strategic
Integrating the Results
Integration Summary
Mitigation Test Pilot Implement Validate
Defense Planning Architecture Review Architecture Review Structure Awareness Training Awareness Program
Incident Management Building a Team People Mission Constituency Organizational Structure Defining Services and Quality CERT Forms
Security Policy Data Classification Organizational Security
Conclusion
Index
