Thursday, June 28, 2012

An Introduction to Penetration Testing – Part 1

by Si Biles

In an earlier article, many moons ago (Sorry Jamie !), I stated my opinion that Forensics and Security were opposite sides of the same coin. I’ve felt very strongly that my skills as a Security Consultant have only been strengthened and expanded by the experiences I’ve gained with Forensics, both as part of the Forensic Focus community (again, apologies for my absence) and as part of my MSc (an ongoing epic spanning two Universities and many years).

There is a particular area of Security work that I think mirrors the skill set of Forensics more closely than others – and that is Penetration Testing. PenTest is probably the most bleeding edge, exciting and intellectually challenging thing in the InfoSec field – no matter how much I try, I struggle to get as excited about writing an “Acceptable Use Policy” as I do given free rein to attempt a “capture the flag” task on a corporate network. (That’s not to say that AUPs don’t have their own excitements … nah, I’m kidding, but they are important – like eating your vegetables…) – at the same time though, the same measured and methodical approaches and investigative skills that apply in Forensics, apply in PenTest.

Over the next few articles ( I don’t know how many yet, I’ve not written them – but I’m aiming to get an update to you fortnightly ) I’d like to take you through a high level PenTest methodology, showing you some of the tools and toys that you can play with along the way, at the end of it all, my intent is to run a competition (with a small prize for the winner – something like an iPod Nano perhaps?) of a live machine ( or machines … ) connected to the internet that you can all have a pop at – rules and scoring criteria yet to be determined – and will have to write a short report on. ( Not that report writing will phase a single Forensicator! )

In any case, let’s start with outlining the basic methodology – remember, like Forensics, many parts of a PenTest methodology are iterative, as you learn more in one phase, you may want to return to an earlier phase and see what further advances you can make with your new-found knowledge.

Read more

1 comment:

Anonymous said...

Please review the work already well underway over at the Penetration Testing Execution Guidelines. (http://www.pentest-standard.org/index.php/Main_Page)