Re: Penetration testing scope/outline

From: Anders Thulin (Anders.Thulin@tietoenator.com)
Date: Thu Oct 07 2004 - 03:16:40 EDT


Chuck Fullerton wrote:

> The OSSTMM stands for the "Open Source Security TESTING Methodology Manual".
> To say that it's not a pen testing method is simply incorrect. This is a
> Full methodology for ALL TYPES of Security Testing, Pen testing is a type of
> Security Testing.

  I have no quarrel with your last statement, but I am not at all
certain that the OSSTMM agrees. (Now, I'm looking only at the
2.1 version, as that is what is available -- you may be arguing
from the soon-to-come 3.0 version which hasn't been generally
released yet.)

   The simplest way to check it is probably just to look to what
extent the text refers to penetration testing, and how the basic
methodology is modified (or not) to that particular type of test.

   The foreword seems reasonably clear that methodical security
testing is different, and presumably also preferrable to penetration
testing. So the document makes a distinction, and one that implies
that penetration testing lacks in method.

   Q: Is this the kind of document I would hand to someone asking
      about penetration testing? No. Perhaps the tenth, but not the
      first.

   Apart from the foreword, penetration testing is mentioned only rarely.
This may be becuase the text distinguishes 'penetration testing' and
'ethical hacking', but on the other hand, ethical hacking is not
treated in any greater detail, either.

   So how *does* this text apply to pen-testing? It doesn't say.
I had expected a section somewhere explaining how the basic
methodology could be modified for various testing scenarios.

   Q: What will someone asking for information about pen-testing
   in particular get out of this document?

   As far as I can make out, only that it's not the right question.
(And that is correct, in one context: that of the experienced tester.)

   So what does it say? Section C (Internet Technology Security)
is the chapter that most pen-testers would turn to first. It begins
on page 42, and already on page 44 I'm flabbergasted. (For those
of you who don't have the manual handy, that page says INCOMPLETE
in 72 point capitals. There's no explanation of if it is importantly
incomplete or not. Just incomplete. And this is not the only place
where the text makes this statement.

   Q. Why point anyone to a document that clearly isn't complete?

   Assuming it's not importantly incomplete (even though I can't
test that assumption) ...

   Module 3 in the same section is fairly important, as it describes
the footprinting and port scanning of a target. Unfortunately, it
does not explain the motivation for doing all this. Why do a XMAS
scan, with fragmented packets, in reverse? And how useful is that?
The manual explicitly leaves all analysis of collected informstion
to the tester, so perhaps I'm asking for something outside the
scope of the text. But then that, again, may be an indication that
this text is not for the beginner.

   Q. When I ask a OSSTMM tester what he's doing this particular type
   of scan should he be able to reply cogently? Or will he just say,
   "I'm doing Item 11 in Module 3 in Section C. Well, I just got to."

   Experienced testers can rely on their experience to understand what
use and utility a particular module is. But they already know
about pen-testing.

   And apropos Item 11 in Module 3 in Section C -- it says I should
refer to Appendix B for the ports to be scanned in this manner.

   Q. Appendix B? Where is that? Not in this document.

   Q. The document was issued more than a year ago. Has really
      noone noted that appendix B is missing or, alternatively,
      that an important reference in the text is bad? If they
      have, why is the problem allowed to remain?

   These last points don't have much to do with penetration testing,
but I think they help explain why I don't think this document is
useful for anyone except a fairly experienced tester.

   I look forward to the coming version 3.0 -- I trust it has fixed
much of what is unclear or incomplete about the 2.1 edition.

   Over and out,

-- 
Anders Thulin   anders.thulin@tietoenator.com   040-661 50 63	
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat
When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology. 
http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:07 EDT