RE: An idiot question

["Richard Zaluski" <rzaluski () ivolution ca>]

I agree with Omar, the OSSTMM is a great resource and also allows a
'certified' pen test if sections are followed. 

The OSSTMM is part of iVolutions Applied Penetration Testing Course Material
and is used throughout the course to show students methodology behind a
Professional Security / Penetration Test. A Pen Test is NOT simply finding
the target and running tools. Tools and methodology go hand in hand.  You
NEED a methodology and you NEED to understand how, when, where and what to
run in the way of tool sets to achieve the Methodologies expected results.

For those who do not understand the concepts of Penetration testing the
OSSTMM is a 'guideline' for Penetration testing and is recognized in the
industry.  

Our advice :  
Setup a test network
Test tools.
Read all you can get your hands on about not just Pen Testing but Security
Testing
A lot of your time will be in Research in the Security Testing Vulnerability
arena.
Apply those tools to achieve the expected results in the OSSTMM Sections
Sign up with online message boards that send you updates on exploits and
vulnerabilities.
Take a course if you can.

Also some organizations have mentor / student programs in which gives you
access to someone you can bounce questions off and be a resource.

Just our 2 cents!



Richard Zaluski, CCNA, CRCP
CISO, Security and Infrastructure Services 
iVolution Technologies Incoporated
905.309.1911
866.601.4678
905.524.8450 (Pager)
www.ivolution.ca
rzaluski () ivolution ca
 

=======================================================================
=== CONFIDENTIALITY NOTICE: This email message, including any 
attachments, is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. If you are not the 
intended recipient, please contact the sender. Any unauthorized review, 
use, disclosure, or distribution is prohibited.
=======================================================================
===
 
PGP Key-ID: 85544DB6
PGP Key fingerprint: 0CD3 FB61 EAF1 11CA 8EC4  513A 75F2 6FC0 8554
-----Original Message-----
From: Omar Prunera Dols [mailto:oprunera () salleURL edu] 
Sent: Thursday, October 28, 2004 11:13 AM
To: pen-test () securityfocus com
Subject: RE: An idiot question

Hi all,

I totally agree with Todd with his definition of pen-testing (Pen-test is
like controlled hacking...), but when he says that there's no "exactly how
to do it manual", i would say that's not 100% correct. Have your ever
heard about OSSTMM?. This is the Open Source Security Testing Methodology
Manual, and is not a "how to do manual" but is a good guideline to perform
correctly a security test.

I recommend you to take a look at http://isecom.org and to the OSSTMM

See you



On Tue, 26 Oct 2004, Todd Towles wrote:

> Run over to insecure.org and look at all the tools. Pen-test is like
> controlled hacking...there is no "exactly how to do it manual" and to
> tell you the truth, there really shouldn't be one.
>
> Read, read read....and then..do do do in a controlled world. Reading
> everything in sight can get you to the door with the information but
> only "doing" can step you into the other room.
>
> > -----Original Message-----
> > From: Profeta [mailto:profetago () bol com br]
> > Sent: Tuesday, October 26, 2004 10:31 AM
> > To: pen-test () securityfocus com
> > Subject: An idiot question
> >
> > Is there some sites that given an arsenal of tools to realize
> > pen tests ? I know that www.packetstormsecurity.nl is a good
> > start, but, there is another site that is more expecific to
> > download some tools ? Thanks the attention!
> >
> > Pr0ph3t
> >
> > --------------------------------------------------------------
> > ----------------
> > Internet Security Systems. - Keeping You Ahead of the Threat
> >
> > When business losses are measured in seconds, Internet
> > threats must be stopped before they impact your network. To
> > learn how Internet Security Systems keeps organizations ahead
> > of the threat with preemptive intrusion prevention, download
> > the new whitepaper, Defining the Rules of Preemptive
> > Protection, and end your reliance on reactive security technology.
> >
> > http://www.securityfocus.com/sponsor/ISS_pen-test_041001
> > --------------------------------------------------------------
> > -----------------
----------------------------------------------------------------------------
--
> Internet Security Systems. - Keeping You Ahead of the Threat
>
> When business losses are measured in seconds, Internet threats must be
stopped before they impact your network. To learn how Internet Security
Systems keeps organizations ahead of the threat with preemptive intrusion
prevention, download the new whitepaper, Defining the Rules of Preemptive
Protection, and end your reliance on reactive security technology.
> http://www.securityfocus.com/sponsor/ISS_pen-test_041001
----------------------------------------------------------------------------
---
>

Sincerely,
-omar.

Omar Prunera i Dols

Networking Dept. - Security Area
Enginyeria i Arquitectura La Salle

Homepage: http://omar.squarespace.com
E-mail: oprunera () salleurl edu
        omar () isecom org
        omar () ideahamster org
        oprunera () gmail com

Attachment: rzaluski@ivolution.ca (rzaluski@ivolution.ca).vcf
Description: