Re: Penetration Testing

[Keith Hartranft <kkh288 () LEHIGH EDU>]

Hello all,

We put a number of our folks through OSCP to learn techniques and
approaches and give them access to the labs last year. OSCP itself has a
"recommended process" but our documents are loosely based on the Pen Test
Standard docs which can be found at:

http://www.pentest-standard.org/index.php/Main_Page

We have several "governing documents" drafted. These include: Pen Test
Rules of Engagement, Definition of Pen Testing Scope, Pen Test Flowchart,
Pen Test Team Charter, and Signed Pen Test Authorization (Confidentiality)
forms. These are in draft form but I'd be happy to share with those forming
teams off-list.

We really started going beyond vulnerability assessment and really pen
testing our systems this year and both the discovery and dialogue it's
initiated between teams has been great. Not without some response and
communications "growing pains", but overall I believe it is driving a
furthering of our InfoSec maturity.

Thanks,

Keith

On Wed, May 31, 2017 at 12:17 PM, Barton, Robert W. <bartonrt () lewisu edu>
wrote:

> Bradley University has a class on penetration testing; they did a “red
> team” attack against an outside company.  The idea was to do outside and
> inside the following year (they had to get people on-board).  They did a
> presentation at ForenSecure this year.
>
>
>
> Robert W. Barton
>
> Director of Information Security
>
> Lewis University
>
> One University Parkway
>
> Romeoville, IL  60446-2200
>
> 815-836-5663 <(815)%20836-5663>
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *David Santos
> *Sent:* Wednesday, May 31, 2017 11:03 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Penetration Testing
>
>
>
> Hi All,
>
>
>
> We do one every couple years by an outside vendor but we would like to
> start doing more on our own; possibly every 6 months.  So, I’m looking for
> any penetration testing plans or the process used for conducting pen
> testing on your own. Any thoughts or ideas welcomed, thanks again.
>
>
>
> Looking forward to your responses.
>
>
>
> Have a Great Day!
>
>
>
> David Santos
>
> IT Security & Helpdesk Manager,
>
> Information Technology
>
>
>
>
>
> Felician University
>
> 262 South Main Street
>
> Lodi, NJ 07644
>
> P: 201-559-6075 <(201)%20559-6075>
>
> www.felician.edu
>
>
>
>
> ______________________________________________________________________
> This outgoing email has been scanned by the MessageLabs Email Security
> System for Felician University.
> _____________________________________________________________________
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone at
> (815)-836-5950 <(815)%20836-5950> and (i) destroy this message if a
> facsimile or (ii) delete this message immediately if this is an electronic
> communication. Thank you.



-- 

*Keith K Hartranft, CISSP, CISM, PCI-DSS ISA & PCIP*
*Chief Information Security Officer*

*Lehigh University610-758-3994*