Penetration Testing mailing list archives
Re: Penetration testing scope/outline
From: Anders Thulin <Anders.Thulin () tietoenator com>
Date: Thu, 07 Oct 2004 09:16:40 +0200
Chuck Fullerton wrote:
The OSSTMM stands for the "Open Source Security TESTING Methodology Manual". To say that it's not a pen testing method is simply incorrect. This is a Full methodology for ALL TYPES of Security Testing, Pen testing is a type of Security Testing.
I have no quarrel with your last statement, but I am not at all certain that the OSSTMM agrees. (Now, I'm looking only at the 2.1 version, as that is what is available -- you may be arguing from the soon-to-come 3.0 version which hasn't been generally released yet.) The simplest way to check it is probably just to look to what extent the text refers to penetration testing, and how the basic methodology is modified (or not) to that particular type of test. The foreword seems reasonably clear that methodical security testing is different, and presumably also preferrable to penetration testing. So the document makes a distinction, and one that implies that penetration testing lacks in method. Q: Is this the kind of document I would hand to someone asking about penetration testing? No. Perhaps the tenth, but not the first. Apart from the foreword, penetration testing is mentioned only rarely. This may be becuase the text distinguishes 'penetration testing' and 'ethical hacking', but on the other hand, ethical hacking is not treated in any greater detail, either. So how *does* this text apply to pen-testing? It doesn't say. I had expected a section somewhere explaining how the basic methodology could be modified for various testing scenarios. Q: What will someone asking for information about pen-testing in particular get out of this document? As far as I can make out, only that it's not the right question. (And that is correct, in one context: that of the experienced tester.) So what does it say? Section C (Internet Technology Security) is the chapter that most pen-testers would turn to first. It begins on page 42, and already on page 44 I'm flabbergasted. (For those of you who don't have the manual handy, that page says INCOMPLETE in 72 point capitals. There's no explanation of if it is importantly incomplete or not. Just incomplete. And this is not the only place where the text makes this statement. Q. Why point anyone to a document that clearly isn't complete? Assuming it's not importantly incomplete (even though I can't test that assumption) ... Module 3 in the same section is fairly important, as it describes the footprinting and port scanning of a target. Unfortunately, it does not explain the motivation for doing all this. Why do a XMAS scan, with fragmented packets, in reverse? And how useful is that? The manual explicitly leaves all analysis of collected informstion to the tester, so perhaps I'm asking for something outside the scope of the text. But then that, again, may be an indication that this text is not for the beginner. Q. When I ask a OSSTMM tester what he's doing this particular type of scan should he be able to reply cogently? Or will he just say, "I'm doing Item 11 in Module 3 in Section C. Well, I just got to." Experienced testers can rely on their experience to understand what use and utility a particular module is. But they already know about pen-testing. And apropos Item 11 in Module 3 in Section C -- it says I should refer to Appendix B for the ports to be scanned in this manner. Q. Appendix B? Where is that? Not in this document. Q. The document was issued more than a year ago. Has really noone noted that appendix B is missing or, alternatively, that an important reference in the text is bad? If they have, why is the problem allowed to remain? These last points don't have much to do with penetration testing, but I think they help explain why I don't think this document is useful for anyone except a fairly experienced tester. I look forward to the coming version 3.0 -- I trust it has fixed much of what is unclear or incomplete about the 2.1 edition. Over and out, -- Anders Thulin anders.thulin () tietoenator com 040-661 50 63 TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö ------------------------------------------------------------------------------ Internet Security Systems. - Keeping You Ahead of the ThreatWhen business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology.
http://www.securityfocus.com/sponsor/ISS_pen-test_041001 -------------------------------------------------------------------------------
Current thread:
- Penetration testing scope/outline Billy Dodson (Oct 05)
- Re: Penetration testing scope/outline Jose Maria Lopez (Oct 05)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 05)
- Re: Penetration testing scope/outline josh (Oct 05)
- Re: Penetration testing scope/outline Nathan Sportsman (Oct 05)
- Re: Penetration testing scope/outline JM (Oct 05)
- Re: Penetration testing scope/outline Anders Thulin (Oct 06)
- Re: Penetration testing scope/outline robert (Oct 08)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 08)
- Re: Penetration testing scope/outline Anders Thulin (Oct 08)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 08)
- RE: Penetration testing scope/outline Tate Hansen (Oct 08)