Penetration testing methodologies - Revision history

Tony Hsu HsiangChih at 03:27, 20 February 2019

2019-02-20T03:27:44Z

Tony Hsu HsiangChih at 03:12, 20 February 2019

2019-02-20T03:12:09Z

Tony Hsu HsiangChih: /* Information Systems Security Assessment Framework (ISSAF) */

2019-02-20T02:52:16Z

‎Information Systems Security Assessment Framework (ISSAF)

Tony Hsu HsiangChih: /* Information Systems Security Assessment Framework (ISSAF) */

2016-04-02T01:06:03Z

‎Information Systems Security Assessment Framework (ISSAF)

Tony Hsu HsiangChih: /* Penetration Testing Framework */

2016-04-01T23:38:45Z

‎Penetration Testing Framework

Tony Hsu HsiangChih: /* Penetration Testing Framework */

2016-04-01T23:38:25Z

‎Penetration Testing Framework

Tony Hsu HsiangChih: /* PCI Penetration testing guide */

2016-04-01T23:32:28Z

‎PCI Penetration testing guide

Tony Hsu HsiangChih: /* PCI DSS Penetration Testing Requirements */

2016-04-01T23:09:31Z

‎PCI DSS Penetration Testing Requirements

Tony Hsu HsiangChih: /* PCI Penetration testing guide */

2016-04-01T23:08:45Z

‎PCI Penetration testing guide

Tony Hsu HsiangChih: /* Reference */

2016-04-01T23:04:39Z

‎Reference

@@ Line 7: / Line 7: @@
 * Information Systems Security Assessment Framework (ISSAF)
 * Open Source Security Testing Methodology Manual (“OSSTMM”)
 == Penetration Testing Execution Standard (PTES) ==
@@ Line 138: / Line 140: @@
 == FedRAMP Penetration Test Guidance ==
 To be updated
 == Reference ==
@@ Line 154: / Line 158: @@
 * https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf
 * https://www.fedramp.gov/assets/resources/documents/CSP_Penetration_Test_Guidance.pdf

@@ Line 19: / Line 19: @@
 * Reporting
-Instead of simply methodology or process, PTES also provides hands-on technical guidelines for what/how to test, rationale of testing and recommended testing tools and usage.
+Instead of simply methodology or process, PTES also provides hands-on technical guidelines for what/how to test, the rationale of testing and recommended testing tools and usage.
 http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
@@ Line 69: / Line 69: @@
 == Information Systems Security Assessment Framework (ISSAF) ==
-The ISSAF is a very good reference source of penetration testing though Information Systems Security Assessment Framework (ISSAF) which is not an active community. It provides comprehensive step-by-step penetration testing technical guidances.
+The ISSAF is a very good reference source of penetration testing though Information Systems Security Assessment Framework (ISSAF) which is not an active community. It provides comprehensive step-by-step penetration testing technical guidance.
 The ISSAF penetration testing guide can be downloaded here. https://sourceforge.net/projects/isstf/
@@ Line 135: / Line 135: @@
 ** Compliance Regulations
 ** Reporting with the STAR (Security Test Audit Report)
 == Reference ==
@@ Line 150: / Line 153: @@
 * https://sourceforge.net/projects/isstf/files/issaf%20document/issaf0.1/
 * https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf

@@ Line 69: / Line 69: @@
 == Information Systems Security Assessment Framework (ISSAF) ==
-The ISSAF is a very good reference source of penetration testing though Information Systems Security Assessment Framework (ISSAF) is not an active community. It provides comprehensive penetration testing technical guidance. It covers the area below.
+The ISSAF is a very good reference source of penetration testing though Information Systems Security Assessment Framework (ISSAF) which is not an active community. It provides comprehensive step-by-step penetration testing technical guidances.
 * Project Management
 * Guidelines And Best Practices – Pre Assessment, Assessment And Post Assessment

← Older revision		Revision as of 01:06, 2 April 2016
Line 68:		Line 68:

	== Information Systems Security Assessment Framework (ISSAF) ==		== Information Systems Security Assessment Framework (ISSAF) ==
		+
		+	The ISSAF is a very good reference source of penetration testing though Information Systems Security Assessment Framework (ISSAF) is not an active community. It provides comprehensive penetration testing technical guidance. It covers the area below.
		+
		+
		+	* Project Management
		+	* Guidelines And Best Practices – Pre Assessment, Assessment And Post Assessment
		+	* Assessment Methodology
		+	* Review Of Information Security Policy And Security Organization
		+	* Evaluation Of Risk Assessment Methodology
		+	* Technical Control Assessment
		+	* Technical Control Assessment - Methodology
		+	* Password Security
		+	* Password Cracking Strategies
		+	* Unix /Linux System Security Assessment
		+	* Windows System Security Assessment
		+	* Novell Netware Security Assessment
		+	* Database Security Assessment
		+	* Wireless Security Assessment
		+	* Switch Security Assessment
		+	* Router Security Assessment
		+	* Firewall Security Assessment
		+	* Intrusion Detection System Security Assessment
		+	* VPN Security Assessment
		+	* Anti-Virus System Security Assessment And Management Strategy
		+	* Web Application Security Assessment
		+	* Storage Area Network (San) Security
		+	* Internet User Security
		+	* As 400 Security
		+	* Source Code Auditing
		+	* Binary Auditing
		+	* Social Engineering
		+	* Physical Security Assessment
		+	* Incident Analysis
		+	* Review Of Logging / Monitoring & Auditing Processes
		+	* Business Continuity Planning And Disaster Recovery
		+	* Security Awareness And Training
		+	* Outsourcing Security Concerns
		+	* Knowledge Base
		+	* Legal Aspects Of Security Assessment Projects
		+	* Non-Disclosure Agreement (NDA)
		+	* Security Assessment Contract
		+	* Request For Proposal Template
		+	* Desktop Security Check-List - Windows
		+	* Linux Security Check-List
		+	* Solaris Operating System Security Check-List
		+	* Default Ports - Firewall
		+	* Default Ports – IDS/IPS
		+	* Links
		+	* Penetration Testing Lab Design

	== Open Source Security Testing Methodology Manual (OSSTMM) ==		== Open Source Security Testing Methodology Manual (OSSTMM) ==

@@ Line 63: / Line 63: @@
 * Final Report - template
-* http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
+http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
 == Technical Guide to Information Security Testing and Assessment (NIST800-115)==

← Older revision		Revision as of 23:38, 1 April 2016
Line 45:		Line 45:

	== Penetration Testing Framework ==		== Penetration Testing Framework ==
		+	The Penetration testing framework provides very comprehensive hands-on penetration testing guide. It also list usage of the testing tools in each testing category. The major area of penetration testing includes -
		+
		+	* Network Footprinting (Reconnaissance)
		+	* Discovery & Probing
		+	* Enumeration
		+	* Password cracking
		+	* Vulnerability Assessment
		+	* AS/400 Auditing
		+	* Bluetooth Specific Testing
		+	* Cisco Specific Testing
		+	* Citrix Specific Testing
		+	* Network Backbone
		+	* Server Specific Tests
		+	* VoIP Security
		+	* Wireless Penetration
		+	* Physical Security
		+	* Final Report - template
		+
		+	* http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

	== Technical Guide to Information Security Testing and Assessment (NIST800-115)==		== Technical Guide to Information Security Testing and Assessment (NIST800-115)==

@@ Line 27: / Line 27: @@
 PCI also defines Penetration Testing Guidance.
 === PCI DSS Penetration Testing Requirements ===
+The PCI DSS requirement refer to Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3
 * Based on industry-accepted approaches
 * Coverage for CDE and critical systems

@@ Line 31: / Line 31: @@
 === PCI DSS Penetration Testing Requirements ===
-* Based on industry-accepted approaches 3.1, 4.4, 5.1.1, 5.1.2, 5.2
+* Based on industry-accepted approaches
-* Coverage for CDE and critical systems 2.2, 2.2.1, 4.1.1
+* Coverage for CDE and critical systems
-* Includes external and internal testing 2.2
+* Includes external and internal testing
-* Test to validate scope reduction 2.2
+* Test to validate scope reduction
-* Application-layer testing 2.3, 4.2.1
+* Application-layer testing
-* Network-layer tests for network and OS 2.3, 4.2.2
+* Network-layer tests for network and OS
 == Penetration Testing Framework ==

← Older revision		Revision as of 23:08, 1 April 2016
Line 24:		Line 24:

	== PCI Penetration testing guide ==		== PCI Penetration testing guide ==
		+	Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 defines the penetration testing.
		+	PCI also defines Penetration Testing Guidance.
		+
		+
		+
		+	=== PCI DSS Penetration Testing Requirements ===
		+
		+	* Based on industry-accepted approaches 3.1, 4.4, 5.1.1, 5.1.2, 5.2
		+	* Coverage for CDE and critical systems 2.2, 2.2.1, 4.1.1
		+	* Includes external and internal testing 2.2
		+	* Test to validate scope reduction 2.2
		+	* Application-layer testing 2.3, 4.2.1
		+	* Network-layer tests for network and OS 2.3, 4.2.2

	== Penetration Testing Framework ==		== Penetration Testing Framework ==

← Older revision		Revision as of 23:04, 1 April 2016
Line 60:		Line 60:
	* https://sourceforge.net/projects/isstf/		* https://sourceforge.net/projects/isstf/
	* https://sourceforge.net/projects/isstf/files/issaf%20document/issaf0.1/		* https://sourceforge.net/projects/isstf/files/issaf%20document/issaf0.1/
		+	* https://www.pcisecuritystandards.org/pdfs/infosupp_11_3_penetration_testing.pdf