From: Steve Armstrong (stevearmstrong@logicallysecure.com)
Date: Tue Sep 19 2006 - 18:58:03 EDT
Maxime
You may have seen my post several weeks ago about a Vulnerability
Analysis methodology. We are about 1 week from a release - version 0.2,
so still a 'rough work in progress' but hopefully a nod in the right
direction. We rely upon checklists to ensure work is conducted
correctly, and often have embed checklists.
Although slightly messed up format wise (for plain text) here is the
table for the pre testing analysis of the network before the Tester
starts the VA/Pen Testing: I have posted this
(http://www.logicallysecure.com/forum/viewtopic.php?p=432) and other
snippets on the VAOST development part of our forum - constructive
comment is always welcome. :-)
(http://www.logicallysecure.com/forum/viewforum.php?f=30 )
1 Non Disclosure Agreement (NDA)
To protect both tester and client
2 Contract to Test
A summary version (usually without pricing information) should
be given to the Tester so they can carry it around when Testing
should they be challenged (this saves tester time)
3 Logical Map (and Checklist)
The Checklists are so the Tester is confident that all aspects
of the system have been mapped at the various levels
4 Network Map (and Checklist)
The Checklists are so the Tester is confident that all aspects
of the system have been mapped at the various levels
5 Data and Information flow Map (and Checklist)
The Checklists are so the Tester is confident that all aspects
of the system have been mapped at the various levels
6 Background Information Form
This it to allow the Tester to understand some of the details
discovered in Stage 1
7 Barrier to Risk Table
So the tester can understand what they need to have to gain
access to data or information on target systems
8 Permission to Test from defined points A list of points the
Tester is authorized to test.
9 List of tests that should be performed This list is taken from
the Master Test List
10 List of areas of interest and specially requested tests (from
Analyst) What the analyst has identified as being of interest or
weak
11 Identify the Killer Questions
The points that the client is really looking to get answered.
The tester must be aware of these so the Stage 3 report generation
has a clear answer and these can be clearly placed in the report
12 Time Frame, IP Addresses and user accounts (as required)
So internal can be informed to not alert on the attacks and
unusual traffic generated for the duration of the test
13 Point of Contact for incidents
So critical vulnerabilities or discovered evidence of attacks
can be reported quickly
14 Point of Contact for Net access and support
So the tester can contact the SysAdmin to gain access to the
various parts of the network quickly.
15 Previous VAOST Stage 3 report (if one exists)
So the tester can check if previous problems have been addressed
and to reduce testing time.
Like I said this is a v0.2 draft so please chip in if I have missed
anything - the VAOST will be an open source document (once I finish
spell checking it!)
Steve A
(nebs)
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Maxime Ducharme
Sent: 19 September 2006 16:47
To: pen-test@securityfocus.com
Subject: Papers prior to pen-test
Hello guys
I'm looking for examples of a kind of "contract" prior
to a pen-test, I mean writing down responsabilities
for each parties before doing a pen-test in case anything
goes wrong.
Any ideas ?
TIA
Maxime Ducharme
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:59 EDT