RE: An idiot question

From: Richard Zaluski (rzaluski@ivolution.ca)
Date: Tue Nov 02 2004 - 09:00:31 EST


I agree with Omar, the OSSTMM is a great resource and also allows a
'certified' pen test if sections are followed.

The OSSTMM is part of iVolutions Applied Penetration Testing Course Material
and is used throughout the course to show students methodology behind a
Professional Security / Penetration Test. A Pen Test is NOT simply finding
the target and running tools. Tools and methodology go hand in hand. You
NEED a methodology and you NEED to understand how, when, where and what to
run in the way of tool sets to achieve the Methodologies expected results.

For those who do not understand the concepts of Penetration testing the
OSSTMM is a 'guideline' for Penetration testing and is recognized in the
industry.

Our advice :
Setup a test network
Test tools.
Read all you can get your hands on about not just Pen Testing but Security
Testing
A lot of your time will be in Research in the Security Testing Vulnerability
arena.
Apply those tools to achieve the expected results in the OSSTMM Sections
Sign up with online message boards that send you updates on exploits and
vulnerabilities.
Take a course if you can.

Also some organizations have mentor / student programs in which gives you
access to someone you can bounce questions off and be a resource.

Just our 2 cents!

Richard Zaluski, CCNA, CRCP
CISO, Security and Infrastructure Services
iVolution Technologies Incoporated
905.309.1911
866.601.4678
905.524.8450 (Pager)
www.ivolution.ca
rzaluski@ivolution.ca
 

=======================================================================
=== CONFIDENTIALITY NOTICE: This email message, including any
attachments, is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender. Any unauthorized review,
use, disclosure, or distribution is prohibited.
=======================================================================
===
 
PGP Key-ID: 85544DB6
PGP Key fingerprint: 0CD3 FB61 EAF1 11CA 8EC4 513A 75F2 6FC0 8554
-----Original Message-----
From: Omar Prunera Dols [mailto:oprunera@salleURL.edu]
Sent: Thursday, October 28, 2004 11:13 AM
To: pen-test@securityfocus.com
Subject: RE: An idiot question

Hi all,

I totally agree with Todd with his definition of pen-testing (Pen-test is
like controlled hacking...), but when he says that there's no "exactly how
to do it manual", i would say that's not 100% correct. Have your ever
heard about OSSTMM?. This is the Open Source Security Testing Methodology
Manual, and is not a "how to do manual" but is a good guideline to perform
correctly a security test.

I recommend you to take a look at http://isecom.org and to the OSSTMM

See you

On Tue, 26 Oct 2004, Todd Towles wrote:

> Run over to insecure.org and look at all the tools. Pen-test is like
> controlled hacking...there is no "exactly how to do it manual" and to
> tell you the truth, there really shouldn't be one.
>
> Read, read read....and then..do do do in a controlled world. Reading
> everything in sight can get you to the door with the information but
> only "doing" can step you into the other room.
>
> > -----Original Message-----
> > From: Profeta [mailto:profetago@bol.com.br]
> > Sent: Tuesday, October 26, 2004 10:31 AM
> > To: pen-test@securityfocus.com
> > Subject: An idiot question
> >
> > Is there some sites that given an arsenal of tools to realize
> > pen tests ? I know that www.packetstormsecurity.nl is a good
> > start, but, there is another site that is more expecific to
> > download some tools ? Thanks the attention!
> >
> > Pr0ph3t
> >
> > --------------------------------------------------------------
> > ----------------
> > Internet Security Systems. - Keeping You Ahead of the Threat
> >
> > When business losses are measured in seconds, Internet
> > threats must be stopped before they impact your network. To
> > learn how Internet Security Systems keeps organizations ahead
> > of the threat with preemptive intrusion prevention, download
> > the new whitepaper, Defining the Rules of Preemptive
> > Protection, and end your reliance on reactive security technology.
> >
> > http://www.securityfocus.com/sponsor/ISS_pen-test_041001
> > --------------------------------------------------------------
> > -----------------
> >
> >
>
>
----------------------------------------------------------------------------

--
> Internet Security Systems. - Keeping You Ahead of the Threat
>
> When business losses are measured in seconds, Internet threats must be
stopped before they impact your network. To learn how Internet Security
Systems keeps organizations ahead of the threat with preemptive intrusion
prevention, download the new whitepaper, Defining the Rules of Preemptive
Protection, and end your reliance on reactive security technology.
>
> http://www.securityfocus.com/sponsor/ISS_pen-test_041001
>
----------------------------------------------------------------------------
---
>
>
Sincerely,
-omar.
Omar Prunera i Dols
Networking Dept. - Security Area
Enginyeria i Arquitectura La Salle
Homepage: http://omar.squarespace.com
E-mail: oprunera@salleurl.edu
	omar@isecom.org
	omar@ideahamster.org
	oprunera@gmail.com




This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:08 EDT