Educause Security Discussion mailing list archives
Re: Penetration Testing
From: Keith Hartranft <kkh288 () LEHIGH EDU>
Date: Wed, 31 May 2017 12:48:43 -0400
Hello all, We put a number of our folks through OSCP to learn techniques and approaches and give them access to the labs last year. OSCP itself has a "recommended process" but our documents are loosely based on the Pen Test Standard docs which can be found at: http://www.pentest-standard.org/index.php/Main_Page We have several "governing documents" drafted. These include: Pen Test Rules of Engagement, Definition of Pen Testing Scope, Pen Test Flowchart, Pen Test Team Charter, and Signed Pen Test Authorization (Confidentiality) forms. These are in draft form but I'd be happy to share with those forming teams off-list. We really started going beyond vulnerability assessment and really pen testing our systems this year and both the discovery and dialogue it's initiated between teams has been great. Not without some response and communications "growing pains", but overall I believe it is driving a furthering of our InfoSec maturity. Thanks, Keith On Wed, May 31, 2017 at 12:17 PM, Barton, Robert W. <bartonrt () lewisu edu> wrote:
Bradley University has a class on penetration testing; they did a “red team” attack against an outside company. The idea was to do outside and inside the following year (they had to get people on-board). They did a presentation at ForenSecure this year. Robert W. Barton Director of Information Security Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 <(815)%20836-5663> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto: SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *David Santos *Sent:* Wednesday, May 31, 2017 11:03 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Penetration Testing Hi All, We do one every couple years by an outside vendor but we would like to start doing more on our own; possibly every 6 months. So, I’m looking for any penetration testing plans or the process used for conducting pen testing on your own. Any thoughts or ideas welcomed, thanks again. Looking forward to your responses. Have a Great Day! David Santos IT Security & Helpdesk Manager, Information Technology Felician University 262 South Main Street Lodi, NJ 07644 P: 201-559-6075 <(201)%20559-6075> www.felician.edu ______________________________________________________________________ This outgoing email has been scanned by the MessageLabs Email Security System for Felician University. _____________________________________________________________________ This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 <(815)%20836-5950> and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
-- *Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP* *Chief Information Security Officer* *Lehigh University610-758-3994*
Current thread:
- Penetration Testing David Santos (May 31)
- Re: Penetration Testing Barton, Robert W. (May 31)
- Re: Penetration Testing Mike Cunningham (May 31)
- Re: Penetration Testing Barton, Robert W. (May 31)
- Re: Penetration Testing Velislav K Pavlov (May 31)
- Re: Penetration Testing Mike Cunningham (May 31)
- Re: Penetration Testing Keith Hartranft (May 31)
- Re: Penetration Testing Valdis Kletnieks (May 31)
- Re: Penetration Testing Valdis Kletnieks (May 31)
- Re: Penetration Testing Barton, Robert W. (May 31)