Welcome to Scribd!

12 Penetration Testing Guidance

Uploaded by

0% found this document useful (0 votes)

5 views30 pages

The document provides guidance on penetration testing. It discusses what penetration testing is, why organizations do penetration testing, different attack vectors and scoping, common approaches and methodologies like the Penetration Testing Execution Standard (PTES), common tools used in penetration testing, how penetration testing relates to compliance requirements, and the importance of policies and procedures around penetration testing. The presentation concludes by encouraging organizations to conduct penetration testing on themselves before attackers have the chance.

Original Description:

Original Title

12_Penetration_Testing_Guidance

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

5 views30 pages

12 Penetration Testing Guidance

Uploaded by

rirob51088

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 30

Search inside document

Penetration Testing Guidance

Andreas Bohman

CISO at Central Washington University

Central Washington University
Ellensburg, WA
• 10,250 students
• Eight state-wide campuses
• 150 Majors & 11 Varsity Teams
• 2,500 graduates each year
• Great Northwest Athletic Conference – NCAA DIV II
Agenda
• Setting the Stage
• What is Penetration Testing?
• Why Penetration Testing?
• Attack Vectors and Scoping
• Approach and Methodology
• Tools of the Trade
• Compliance vs. Business Risk
• Policies and Procedures
• Conclusion
What will this technical track
session
sessionnot
teach
teach
you?
you?
Images: Vårdförbundet, Viking Electronics, and Engadget.com
What is Penetration Testing?

“Penetration testing is security testing in

which assessors mimic real-world
attacks to identify methods for
circumventing the security features of an
application, system, or network.”

- NIST SP 800-115
Why Do Penetration Testing?

“The intent of a penetration test is to

simulate a real-world attack situation
with a goal of identifying how far an
attacker would be able to penetrate into
an environment.”

- PCI DSS v3.0

VIDEO
What is Penetration Testing?

Port Scanning Vulnerability Assessment

Image: Wikimedia Commons
Why Penetration Test?

Data Breach Establish Baseline

Images: Flickr Creative Commons and Wikimedia Commons

Why Penetration Test?

Security Controls Compliance

Images: Flickr Creative Commons and Wikimedia Commons
Attack Vectors and Scoping
Attack Vectors and Scoping
Approach and Methodology

NIST 800-115

Penetration Testing
Execution Standard (PTES)
Approach and Methodology

NIST 800-115

Image: National Institute of Standards and Technology (NIST), SP 800-115

Approach and Methodology

NIST 800-115

Image: National Institute of Standards and Technology (NIST), SP 800-115

Approach and Methodology

Penetration Testing Execution Standard (PTES)

1. Pre-Engagement Interactions 5. Exploitation

2. Intelligence Gathering 6. Post Exploitation
3. Threat Modeling 7. Reporting
4. Vulnerability Analysis
Approach and Methodology

In-House vs. Outsourced

Images: Flickr Creative Commons and TrustedSec

Approach and Methodology

Covert vs. Overt

Images: Flickr Creative Commons and Wikimedia Commons

Approach and Methodology

Internal vs. External

Images: Brisk Info Sec

Tools of the Trade
Tools of the Trade

Penetration Testing Execution Standard (PTES)

1. Pre-Engagement Interactions 5. Exploitation

2. Intelligence Gathering 6. Post Exploitation
3. Threat Modeling 7. Reporting
4. Vulnerability Analysis
Payment Card Industry
Data Security Standard
(PCI DSS)
Requirement 11.3: Implement a
methodology for penetration testing
June 30, 2015
Policies and Procedures

Images: College of Coastal Georgia

Hack yourself…

…before the attackers do!

Designing and Building Security Operations Center
From Everand
Designing and Building Security Operations Center
David Nathans
Rating: 3 out of 5 stars
3/5 (3)
Integration For Microsoft Active Directory Federated Services (Ad FS) White Paper For Onbase 14 and Higher
Document81 pages
Integration For Microsoft Active Directory Federated Services (Ad FS) White Paper For Onbase 14 and Higher
Vivek Kumar
No ratings yet
Jack MacLean Secrets of A Superthief
Document100 pages
Jack MacLean Secrets of A Superthief
api-3777781
82% (11)
CISSP® Study Guide
From Everand
CISSP® Study Guide
Joshua Feldman
Rating: 3 out of 5 stars
3/5 (1)
Rapid7 Penetration Testing Services Brief
Document2 pages
Rapid7 Penetration Testing Services Brief
ellococareloco
No ratings yet
RSL Network Pentest Sample Report
Document49 pages
RSL Network Pentest Sample Report
Anonymous 9ZfLLXO
0% (1)
ALM Octane Installation Guide For Windows
Document96 pages
ALM Octane Installation Guide For Windows
zeljkob
No ratings yet
Safety and Security in Hospitality Industry
Document2 pages
Safety and Security in Hospitality Industry
Md. Mamun Hasan Biddut
0% (1)
Ira Hada Tharu Mada PDF
Document101 pages
Ira Hada Tharu Mada PDF
K S Kumara
No ratings yet
Pentesting Model
Document8 pages
Pentesting Model
Joe Doe
No ratings yet
Chapter 1 Introduction To Vulnerability Assessment and Penetration Testing
Document29 pages
Chapter 1 Introduction To Vulnerability Assessment and Penetration Testing
CHI QING LIM
No ratings yet
Pentest Methodologies
Document19 pages
Pentest Methodologies
OscarPerez
No ratings yet
Vulnerability Assessment and Penetration Testing IJERTV10IS050111
Document6 pages
Vulnerability Assessment and Penetration Testing IJERTV10IS050111
Vamsi Krishna
No ratings yet
Pentest - 101 by Matthias Vallentin
Document10 pages
Pentest - 101 by Matthias Vallentin
Andres Valarezo
No ratings yet
Bai 1-2-Tong Quan ATTT-2
Document30 pages
Bai 1-2-Tong Quan ATTT-2
Phạm Loan
No ratings yet
2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
Document35 pages
2004 12 03 Larry Clinton Philadelphia Presentation About ISA and Coherent Program of Cyber Security Through Incentives
isalliance
No ratings yet
Rapid7 Penetration Testing Services Brief PDF
Document2 pages
Rapid7 Penetration Testing Services Brief PDF
ellococareloco
No ratings yet
Research Plan
Document6 pages
Research Plan
Prince Opoku
No ratings yet
Analyzing and Implementing of Network Penetration Testing
Document48 pages
Analyzing and Implementing of Network Penetration Testing
Engr. Md Yusuf Miah
No ratings yet
CS549: Cryptography and Network Security: © by Xiang-Yang Li Department of Computer Science, IIT
Document82 pages
CS549: Cryptography and Network Security: © by Xiang-Yang Li Department of Computer Science, IIT
aishuvc1822
No ratings yet
Rapid7 Penetration Testing Service Brief
Document2 pages
Rapid7 Penetration Testing Service Brief
toneranger
No ratings yet
Labs PenTesting Fundamentals Coalfire
Document38 pages
Labs PenTesting Fundamentals Coalfire
kingnachi
No ratings yet
Cyber Law and Security
Document16 pages
Cyber Law and Security
Abhishek Singh
No ratings yet
Penetration Testing Frameworks and Methodologies - A Comparison An
Document109 pages
Penetration Testing Frameworks and Methodologies - A Comparison An
danielasirakova579
No ratings yet
Network Security Fundamentals
Document41 pages
Network Security Fundamentals
Marco Lopez Reinoso
No ratings yet
CEHday 1
Document121 pages
CEHday 1
Yo Yo
No ratings yet
(IJCST-V7I3P25) :Dr.K.Sai Manoj, Ms. K. Mrudula, Mrs G.Maanasa, Prof.K.Phani Srinivas
Document5 pages
(IJCST-V7I3P25) :Dr.K.Sai Manoj, Ms. K. Mrudula, Mrs G.Maanasa, Prof.K.Phani Srinivas
EighthSenseGroup
No ratings yet
Ty Btech Trimester-Viii (Ay 2019-2020) Computer Science and Engineering
Document105 pages
Ty Btech Trimester-Viii (Ay 2019-2020) Computer Science and Engineering
Djsjsb
No ratings yet
Training Penetration Testing: Menu Training IT Training IT
Document4 pages
Training Penetration Testing: Menu Training IT Training IT
Belajar K3L
No ratings yet
CCNA Security: Chapter One Modern Network Security Threats
Document76 pages
CCNA Security: Chapter One Modern Network Security Threats
gopinathkarangula
No ratings yet
Cyber Security Lesson 2
Document26 pages
Cyber Security Lesson 2
Ushna Abrar
No ratings yet
Unit7 CareerPrep FeedbackForm
Document3 pages
Unit7 CareerPrep FeedbackForm
rhlbhgt13
No ratings yet
CISSP Exam Outline English April 2021 PDF
Document16 pages
CISSP Exam Outline English April 2021 PDF
Kevin Monkam
No ratings yet
CBTS Penetration Testing Security IFS 230223
Document2 pages
CBTS Penetration Testing Security IFS 230223
adminak
No ratings yet
Certification Study Guide - CC by Kevin Henry
Document37 pages
Certification Study Guide - CC by Kevin Henry
R Nil
No ratings yet
Quiz 1
Document2 pages
Quiz 1
GAME MUCCI
No ratings yet
Course: Information Security Management in E-Governance
Document53 pages
Course: Information Security Management in E-Governance
h
No ratings yet
AUDCIS Information Security
Document21 pages
AUDCIS Information Security
Bea Garcia
No ratings yet
CC Certified in Cybersecurity All in One Exam Guide Steven Bennett Full Chapter
Document51 pages
CC Certified in Cybersecurity All in One Exam Guide Steven Bennett Full Chapter
darrell.pace172
100% (18)
CC Certified in Cybersecurity All in One Exam Guide Steven Bennett Full Chapter
Document67 pages
CC Certified in Cybersecurity All in One Exam Guide Steven Bennett Full Chapter
rose.kim993
100% (2)
Certified Penetration Tester
Document14 pages
Certified Penetration Tester
Evangal jekson
No ratings yet
Week 2 Slides - PowerPoint
Document18 pages
Week 2 Slides - PowerPoint
Aditya
No ratings yet
CEHv11 Outline Condensed
Document4 pages
CEHv11 Outline Condensed
uzochukwue953
No ratings yet
Penetration Test Process and Types Facts
Document5 pages
Penetration Test Process and Types Facts
Kimberly Pineda
No ratings yet
Information Security Analysis and Audit
Document23 pages
Information Security Analysis and Audit
Divyesh yadav
No ratings yet
Lecture2 Intro (Part-II)
Document42 pages
Lecture2 Intro (Part-II)
Love Gates
No ratings yet
Certified Penetration Tester
Document14 pages
Certified Penetration Tester
Evangal jekson
No ratings yet
Identity and Access Management With Cybersecurity
Document17 pages
Identity and Access Management With Cybersecurity
Sathiya
No ratings yet
Pentest+ Exam Pass: Penetration Testing And Vulnerability Management For Cybersecurity Professionals
From Everand
Pentest+ Exam Pass: Penetration Testing And Vulnerability Management For Cybersecurity Professionals
Rob Botwright
No ratings yet
CSE3501 - INFORMATION-SECURITY-ANALYSIS-AND-AUDIT - ETH - 1.0 - 62 - CSE3501 Information Security Analysis and Audit
Document3 pages
CSE3501 - INFORMATION-SECURITY-ANALYSIS-AND-AUDIT - ETH - 1.0 - 62 - CSE3501 Information Security Analysis and Audit
Sukriti Jaitly
100% (1)
Ty Btech Trimester-Viii (Ay 2019-2020) Computer Science and Engineering
Document105 pages
Ty Btech Trimester-Viii (Ay 2019-2020) Computer Science and Engineering
Djsjsb
No ratings yet
Irjet V6i893
Document5 pages
Irjet V6i893
Ofrates Siringan
No ratings yet
SYLLABUS
Document3 pages
SYLLABUS
Laugh For Fun
No ratings yet
Data Security
Document200 pages
Data Security
baselkhateeb
No ratings yet
2incident Management
Document54 pages
2incident Management
Jaico Dictaan
No ratings yet
Why Do A Penetration Test?
Document7 pages
Why Do A Penetration Test?
Tanayy
No ratings yet
Ethical Hacking and Countermeas - by International Council of Ele PDF
Document1,304 pages
Ethical Hacking and Countermeas - by International Council of Ele PDF
Xade Eulor
100% (1)
Pentester and Network Security For A Secure Modern Society
Document8 pages
Pentester and Network Security For A Secure Modern Society
Ofrates Siringan
No ratings yet
Cissp Week
Document159 pages
Cissp Week
rcb023
100% (1)
PTPand M1 ST Edi
Document9 pages
PTPand M1 ST Edi
Maqsood Alam
No ratings yet
Pradhyumn Dvivedi
Document32 pages
Pradhyumn Dvivedi
Shashwat Jain
No ratings yet
Assessment Presentation: Fundamentals of Information Systems Security
Document24 pages
Assessment Presentation: Fundamentals of Information Systems Security
Brandon Dean
No ratings yet
Assessment Report:: Internal Network Penetration Test Internal Network Penetration Test
Document49 pages
Assessment Report:: Internal Network Penetration Test Internal Network Penetration Test
mouja
No ratings yet
The Professional Hackers Blueprint
Document73 pages
The Professional Hackers Blueprint
Sikander Shahid
No ratings yet
Course Overview: This Course Provides In-Depth Coverage of The Eight Domains Required To Pass The CISSP Exam
Document30 pages
Course Overview: This Course Provides In-Depth Coverage of The Eight Domains Required To Pass The CISSP Exam
Abdul Ghaffar
No ratings yet
Aegis Secure Key Manual - 9-13-2013-Rev 4
Document10 pages
Aegis Secure Key Manual - 9-13-2013-Rev 4
Jefford Klein Gogo
No ratings yet
RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2
Document104 pages
RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2
Charitha Reddy
No ratings yet
Deutsche Bank Final
Document28 pages
Deutsche Bank Final
monik
No ratings yet
Be - Information Technology - Semester 5 - 2023 - May - Computer Network Security Rev 2019 C Scheme
Document1 page
Be - Information Technology - Semester 5 - 2023 - May - Computer Network Security Rev 2019 C Scheme
gbhggg81
No ratings yet
Arcon Epm Brochure
Document8 pages
Arcon Epm Brochure
Patrick Ang
No ratings yet
ESET Smart Security 4 Product White Paper
Document12 pages
ESET Smart Security 4 Product White Paper
Ovidiu V. Bișog
No ratings yet
Tong Safety
Document1 page
Tong Safety
Ahmad Ghazee
67% (3)
Rufina 2019
Document4 pages
Rufina 2019
shivani m
No ratings yet
TL-WN723N V3 Datasheet
Document3 pages
TL-WN723N V3 Datasheet
YosuaAriewibowoCrasky
No ratings yet
Pgi Registration
Document1 page
Pgi Registration
sunlight architect
No ratings yet
ISO 27001 Metrics and Implementation Guide PDF
Document13 pages
ISO 27001 Metrics and Implementation Guide PDF
Nauman Khalid
100% (1)
DSL Log
Document28 pages
DSL Log
JD Navali
No ratings yet
Fmea
Document49 pages
Fmea
Mayur12345dt
No ratings yet
Ad Self Service Plus Security
Document31 pages
Ad Self Service Plus Security
samak
No ratings yet
Khudra: A New Lightweight Block Cipher For Fpgas
Document18 pages
Khudra: A New Lightweight Block Cipher For Fpgas
Anonymous sskjn1A7x
No ratings yet
1.2 Installation of SSH Keys On Linux-A Step-By Step Guide
Document3 pages
1.2 Installation of SSH Keys On Linux-A Step-By Step Guide
Mada Chouchou
No ratings yet
Cloudian First Call Deck 0222
Document22 pages
Cloudian First Call Deck 0222
Tien Pham
No ratings yet
Fatpipe MPVPN Brochure
Document2 pages
Fatpipe MPVPN Brochure
Adrian Gamboa Marcellana
No ratings yet
Digital Service Standard: Local Government
Document12 pages
Digital Service Standard: Local Government
Alca
No ratings yet
Flow Chart Hart For Online Admission Process Online Admission Process
Document1 page
Flow Chart Hart For Online Admission Process Online Admission Process
Game Technical And Review
No ratings yet
Mod PLSQL Ug
Document80 pages
Mod PLSQL Ug
Iulian Doboara
No ratings yet
New - Galileo Basic Entries - Dec 2016
Document4 pages
New - Galileo Basic Entries - Dec 2016
praveen v
No ratings yet
Centrify DC Admin Guide v3
Document416 pages
Centrify DC Admin Guide v3
angelito_lazo
No ratings yet
Brief Story To Small Business
Document5 pages
Brief Story To Small Business
khanhpham65
No ratings yet
HP Secure MPS Preferred Device Matrix - Nov2019
Document3 pages
HP Secure MPS Preferred Device Matrix - Nov2019
dimitricl
No ratings yet