• Aucun résultat trouvé

Penetration Testing

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Penetration Testing"

Copied!
8
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Information Security Assessment Bibliography Q and A

Information Security Testing or

The Art of Breaking Software To Improve It

Alexandre Dulaunoy

February 18, 2011

(2)

Information Security Assessment Bibliography Q and A Definition

Definition

Information security assessment is the process of determining the effectiveness of security measures to reach specific security objectives.

The assessment is usually performed using different techniques oftesting,examinationorinterviewing.

Testing: actively assess components under specified conditions to see if they deviate from their baseline.

Examination: reviewing, studying or analyzing components to understand how they work and if they deviate from their intended objectives.

Interviewing: conducting discussion with people or groups of people involved in the components to be assessed.

(3)

Information Security Assessment Bibliography Q and A Testing? Examination? Interviewing?

Testing? Examination? Interviewing?

Security assessment is usually a balanced approach using testing, examination and interviewing.

There are many security testing techniques and procedure like

”OSSTMM 3 - The Open Source Security Testing Methodology Manual”, NIST SP 800-53A.

Compare available tests with the components to be analyzed or the objectives. Do the tests fit? What is the information available the for the assessment?

(4)

Information Security Assessment Bibliography Q and A Penetration Testing

Penetration Testing

Penetration testing is a subpart oftesting including service identification and trying to make real-world attacks against a specify set of components.

There are risks to perform ”penetration testing” and they must be understood in advance.

Penetration testing is not only a technical matter but may also include non-technical tests (e.g. social engineering).

Black-box versus white-box pentesting.

(5)

Information Security Assessment Bibliography Q and A Penetration Testing

Penetration Testing Approaches

Often described linearly: planning→ discovery →attack → reporting and mitigation.

Usually it’s more a circular approach where new attacks generate new discoveries than can lead to other attacks.

Penetration testing is usually relying on anomalies than can lead to unexpected behavior of the components.

Working in a small team is usually more efficient by the collaboration of the discoveries and step to be performed to lead to privilege escalation.

Penetration testing is not full proof and offers usually a limited view.

(6)

Information Security Assessment Bibliography Q and A Penetration Testing

Penetration Testing Tools

Tools can be used in penetration testing to ease the work but are usually used in conjunction to custom software or manual solution.

There are some live-cd distribution including penetration tools: BackTrack Linux or Linux S-T-D.

Fuzzing is specific kind of testing often used as starting point.

(7)

Information Security Assessment Bibliography Q and A

Bibliography

NIST 800-115 - Technical Guide To Information Security Testing and Assessment

Know Your Enemy, The Honeynet project - various, (second edition) Addison Wesley, ISBN 0-321-16646-9

Computer Security, Art and Science, Matt Bishop, Addison Wesley, ISBN 0-201-44099-7

(8)

Information Security Assessment Bibliography Q and A

Q and A

Thanks for listening.

[email protected]

Références

Télécharger maintenant ( PDF - 8 Page - 118.85 KB )

Documents relatifs

Modeling and Assessment of Systems Security

The second step is to decide on the sets of security requirements to be used for the computation of the security values corresponding to the identified security features..

A COMMUNITY FOOD SECURITY ASSESSMENT OF THE BONNE BAY REGION

Food costing of items from the NNFB was undertaken at eight food stores in towns throughout the Bonne Bay region between August 17 and 28 2009, including: two stores in Trout

Grid of security: a new approach of the network security

According to their specifications and strategic location in the enterprise network, firewalls (personal or not) are good tools to block direct attacks coming from the outside of

Risk Assessment for Airworthiness Security

Similarly to the safety inductive approach of Failure Mode and Effect Analysis (FMEA), the security vulnerability assessment is a bottom- up approach: it aims at identifying

security assessment

 Send random commands to any TARs that accept them.  Send commands to

Privacy and Security Assessment of Biometric Systems

In Section 5, the Security Evabio tool which is an on-line tool for the security and privacy assessment of biometric systems is presented.. Future trends of the chapter are then

Model for Assessment of the Financial Security Level of the Enterprise Based on the Desirability Scale

Certain aspects of financial security modeling related, in particular, to the assessment of its factors, identification of threats and assessment of risks, diagnostics of the level

Information security in the context of the digital economy

At the moment, a wide range of information and analytical systems (IAS), of both domestic and foreign developers, allowing to work with Big Data and Data Mining, is available on