RE: Penetration testing scope/outline

From: Chuck Fullerton (chuckf69@ceinetworks.com)
Date: Thu Oct 07 2004 - 10:43:46 EDT


The original question was "Anyone have any documents they are willing to
share on the scope of work for a pen-test?"

When we get these questions each of us must take into account certain
assumptions. I personally like to give the benefit of the doubt. If the
person doesn't come right out and say they are new to Security, then I
assume that they have an idea of what they are doing and just need a little
help.

The main reason why I don't like posting questions on groups like these is
because many people like to "show their knowledge" and write books on these
groups.

It is very important that we, as posters to the group, read the entire
question and answer the question at hand, not write entire security classes
for people who may not need the info.

Ok.. Off my soap box..

You started off by asking if I was talking about 3.0. That I was. Anyone
who is serious about any type of security testing should be getting as much
information as possible about these methodologies. Even if we have to fork
out some cash to get the latest and greatest.

No not do so is amatuerish.

Sincerely,

Chuck Fullerton

-----Original Message-----
From: Anders Thulin [mailto:Anders.Thulin@tietoenator.com]
Sent: Thursday, October 07, 2004 3:17 AM
To: pen-test@securityfocus.com
Cc: Chuck Fullerton
Subject: Re: Penetration testing scope/outline

Chuck Fullerton wrote:

> The OSSTMM stands for the "Open Source Security TESTING Methodology
Manual".
> To say that it's not a pen testing method is simply incorrect. This is a
> Full methodology for ALL TYPES of Security Testing, Pen testing is a type
of
> Security Testing.

  I have no quarrel with your last statement, but I am not at all
certain that the OSSTMM agrees. (Now, I'm looking only at the
2.1 version, as that is what is available -- you may be arguing
from the soon-to-come 3.0 version which hasn't been generally
released yet.)

   The simplest way to check it is probably just to look to what
extent the text refers to penetration testing, and how the basic
methodology is modified (or not) to that particular type of test.

   The foreword seems reasonably clear that methodical security
testing is different, and presumably also preferrable to penetration
testing. So the document makes a distinction, and one that implies
that penetration testing lacks in method.

   Q: Is this the kind of document I would hand to someone asking
      about penetration testing? No. Perhaps the tenth, but not the
      first.

   Apart from the foreword, penetration testing is mentioned only rarely.
This may be becuase the text distinguishes 'penetration testing' and
'ethical hacking', but on the other hand, ethical hacking is not
treated in any greater detail, either.

   So how *does* this text apply to pen-testing? It doesn't say.
I had expected a section somewhere explaining how the basic
methodology could be modified for various testing scenarios.

   Q: What will someone asking for information about pen-testing
   in particular get out of this document?

   As far as I can make out, only that it's not the right question.
(And that is correct, in one context: that of the experienced tester.)

   So what does it say? Section C (Internet Technology Security)
is the chapter that most pen-testers would turn to first. It begins
on page 42, and already on page 44 I'm flabbergasted. (For those
of you who don't have the manual handy, that page says INCOMPLETE
in 72 point capitals. There's no explanation of if it is importantly
incomplete or not. Just incomplete. And this is not the only place
where the text makes this statement.

   Q. Why point anyone to a document that clearly isn't complete?

   Assuming it's not importantly incomplete (even though I can't
test that assumption) ...

   Module 3 in the same section is fairly important, as it describes
the footprinting and port scanning of a target. Unfortunately, it
does not explain the motivation for doing all this. Why do a XMAS
scan, with fragmented packets, in reverse? And how useful is that?
The manual explicitly leaves all analysis of collected informstion
to the tester, so perhaps I'm asking for something outside the
scope of the text. But then that, again, may be an indication that
this text is not for the beginner.

   Q. When I ask a OSSTMM tester what he's doing this particular type
   of scan should he be able to reply cogently? Or will he just say,
   "I'm doing Item 11 in Module 3 in Section C. Well, I just got to."

   Experienced testers can rely on their experience to understand what
use and utility a particular module is. But they already know
about pen-testing.

   And apropos Item 11 in Module 3 in Section C -- it says I should
refer to Appendix B for the ports to be scanned in this manner.

   Q. Appendix B? Where is that? Not in this document.

   Q. The document was issued more than a year ago. Has really
      noone noted that appendix B is missing or, alternatively,
      that an important reference in the text is bad? If they
      have, why is the problem allowed to remain?

   These last points don't have much to do with penetration testing,
but I think they help explain why I don't think this document is
useful for anyone except a fairly experienced tester.

   I look forward to the coming version 3.0 -- I trust it has fixed
much of what is unclear or incomplete about the 2.1 edition.

   Over and out,

--
Anders Thulin   anders.thulin@tietoenator.com   040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
------------------------------------------------------------------------------
Internet Security Systems. - Keeping You Ahead of the Threat
When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology. 
http://www.securityfocus.com/sponsor/ISS_pen-test_041001
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:07 EDT