Module 1 - Introduction

About This Course Why Perform Penetration Tests? Security Certifications Types of Pentesting

About This Course

Presenter Information Video Access Course Disks Network Configuration Certificate of Course Completion Course Support

About This Course

Presenter InformationThomas Wilhelm

○ ISSMP / CISSP / SCSECA / SCNA / SCSA / IAM○ IT Industry: 15+ years○ Security Industry: 7+ years○ U.S. Army

SIGINT Analyst / Cryptanalyst

○ Fortune 100Penetration Testing / Risk Assessments

○ Author “Penetration Tester’s Open Source Toolkit, Vol.2”

About This Course

Video Access30 days access to videos

○ Use login information provided when enrolled60 days to complete PenTest Document to

ISSAF standardshttp://heorot.net/instruction/PTF/

About This Course

Course DisksDisk 1.100

○ Used in Video Instruction

Disk 1.101○ Used in Hands-On Exercises & “Independent

PenTest Effort” for Course Completion Certification

BackTrack○ Used as Penetration Tester’s Toolkit

About This Course

Network Configuration

Configuration Issues:•http://de-ice.net/index.php?name=PNphpBB2&file=viewforum&f=17•Can be used in a virtual machine

About This Course

Certificate of Course CompletionAwarded upon receipt and acceptance of

formal documentation of Independent PenTest Effort○ Meet ISSAF standards○ “Independent PenTest Effort” uses Disk 1.101○ Required material is covered in Module 4-8

About This Course

Certificate of Course Completion - GradingGeneral Documentation – 250

Management Summary Scope of the project (and Out of Scope parts) Tools that have been used (including exploits) Dates & times of the actual tests on the systems

Identification of Weakness & Vulnerabilities – 650 A list of all identified vulnerabilities Output of tests performed (screenshots or “script” text file)

Action Points – 100 Recommendation of what to mitigate first Recommended solution

About This Course

Course SupportEmail: training@heorot.net

○ Support 24x7Instructor: PTF@heorot.net

○ Online chat T,Th 9pm EasternAlso available by appointment

○ Available via phone by appointment

Why PerformPenetration Tests?

Black Hat vs. White Hat Code of Ethics Legal Responsibilities

Why PerformPenetration Tests?

Code of EthicsCISSP Code of Ethics Canons:

○ Protect society, the commonwealth, and the infrastructure.

○ Act honorably, honestly, justly, responsibly, and legally.

○ Provide diligent and competent service to principals.

○ Advance and protect the profession.

Why PerformPenetration Tests?

Black Hat vs. White HatBlack Hat:

“A black hat is a person who compromises the security of a computer system without permission from an authorized party, typically with malicious intent”

- Wikipedia

White Hat:“A white hat hacker, also rendered as ethical hacker, is,

in the realm of information technology, a person who is ethically opposed to the abuse of computer systems”

- Wikipedia

Why PerformPenetration Tests?

Legal ResponsibilitiesFederal Mandates

○ SOX○ HIPPA○ FISMA, etc.

State Mandates○ California Senate Bill 1386○ Many other states are following California’s

Example

Security Certifications

Generalized Knowledge Appliance-Specific Methodology

Security Certifications

Generalized Knowledge(ISC)2

ISSMP / ISSAP / ISSEP / CISSP / SSCP

Prosoft LearningCertified Internet Web Professional ProgramDesigner / Administrator / Manager / Developer

SANS InstituteGlobal Information Assurance CertificationGISF / GSEC / GCFW / GCIA / GCUX… and more

Security Certifications

Appliance-Specific

CISCO CCSP / CCIE

Check Point CCSA / CCSE

RSA Security CSA / CSE

TruSecure TICSA / TICSE

Operating Systems SCSECA RHCSS MCSE: Security

Security Certifications

MethodologyNational Security Agency

○ IAM / IEMEC-Council

○ CEH

Types of Penetration Testing

Network Host Application Database

Types of Penetration Testing

Network

PasswordSwitches / RoutersFirewallIntrusion DetectionVPNStorage

WLAN Security Internet User SecurityAS400Lotus Notes

Types of Penetration Testing

HostUnix / LinuxWindowsNovell NetwareWeb Server

Types of Penetration Testing

ApplicationWeb ApplicationSource Code AuditingBinary Auditing

Types of Penetration Testing

DatabaseDatabase SecuritySocial Engineering

Module 1 - Conclusion

Why Perform Penetration Tests? About This Course Security Certifications Types of Pentesting