LPTv4 Module 14 Penetration Testing Planning and Scheduling_NoRestriction

/ECSA/LPT

EC Council Mod le XIVEC-Council Module XIV

Penetration Testing Pl i d S h d liPlanning and Scheduling

Module Flow

Test Plan Purpose of Test Plan Building a Penetration Test Plan Purpose of Test Plan gTest Plan

Penetration Testing Teams Project Scope

Penetration Testing Planning Phase

Building Tiger TeamPenetration Testing

Project PlanEC-Council’s Vampire Box

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Module Objective

This module explains how a penetration test plan and This module explains how a penetration test plan and schedule is made.

It will cover various testing tasks, test log and deliverables, penetration testing planning phase, project scope, penetration testing team, and the tiger team.penetration testing team, and the tiger team.

It l di i j t h d li t lIt also discusses various project scheduling tools.



Test Plan

A t t l i d t th t d t il th t t f d ti A test plan is a document that details the structure of conducting a penetration test.

A test plan could be structured according to an industry standard such as the Institute of Electrical and Electronics Engineers (IEEE) Standard for Software Documentation—Std. 829, based on an internal template.



Purpose of Test Plan

A penetration test plan will establish the ground rules, limits, and scope of testing.

It h th b bilit f hi i d t ti t tiIt enhances the probability of achieving good penetration testing.

• Test objective.

A test plan includes:

Testj• Scope of the testing effort.• Resource and budget limitations.• Analysis and reviews.



Building a Penetration Test Plan

Set up a test goal

Define the objects to be tested

Hire a well-skilled penetrator

Bind the Penetration Analysis Resources



IEEE STD. 829–1998 SECTION HEADINGSHEADINGS

Test plan identifier

IntroductionIntroduction

Test items

Features to be tested

Features not to be testedeatu es ot to be tested

Approach

Item pass/fail criteria

Suspension criteria and resumption requirementsp p q

Test deliverables

Testing tasks

Environmental needs

Responsibilities

Staffing and training needs

Schedule



Risks and contingencies

Approvals

Test Plan Identifier

E h l h ld b i d id ifi h i i Each test plan should be assigned an identifier that is unique within the organization.



Test Deliverables

As part of its contractual obligations, a company specializing in security t ti d t id li t ith d t il d t f ll th testing may need to provide a client with detailed accounts of all the penetration tests that were attempted (regardless of their success).

Document every detail of penetration testing process.

The success of a penetration test depends on the report generated.



Penetration Testing Planning PhasePhase

Defining the Pen-test scope

Staffing

Ki k ff iKickoff meeting

Development of the project lplan

Setting the expectations of the client



Define the Scope

You should establish the scope of the projectYou should establish the scope of the project.

Y h ld d l th f th j t i lt ti You should develop the scope of the project in consultation with the client.

You should take into consideration time, people, and money.

Business changes might affect the scope.



Project Scope

Features to be tested include:

• Network security.• System software security. • Client-side application security.

Cli id id li i i i i • Client-side to server-side application communication security. • Server-side application security.• Social engineering. • Dumpster diving. p d g• Inside accomplices. • Physical security. • Sabotage Intruder confusion.

Intrusion detection Intrusion response• Intrusion detection Intrusion response.



When to Retest?

A previously unknown exploit in an operating systemA previously unknown exploit in an operating system

Additional devices (firewalls, servers, routers, and so on) are added tothe systemthe system

A service pack installed to patch a recently discovered security hole

Log files have grown to the point that no free disk space is left



Responsibilities

Who will be responsible for making sure all thek t ti ti iti t ki l h d l ?key testing activities taking place on schedule?

Team member building

Assigning tasks

Timelines

Report writing and documentation personal



Skills and Knowledge Required

• Client presentations

Project management skills and knowledge:

• Client presentations• Project planning and administration• Effective communication (oral and written)• Leadership

• Research and analysis• Security industry standards (ISO 17799, GASSP)

Th t l i

Policy examiner skills and knowledge:

• Threat analysis• Principles of security management• Business continuity and disaster recovery standards

Technical examiner skills and knowledge:

• Client and server OS, NOS, UNIX, Linux hardware devices• Software and hardware configuration management• Reported bugs and security flaws

Technical examiner skills and knowledge:



• Network and system testing protocols and devices• Physical plant security

Internal Employees

Work with internal employees (i.e., system administrators) to assist you i h h jwith the project.

They can provide valuable experience and know howThey can provide valuable experience and know-how.



Penetration Testing Teams

Chief Chief Penetration Tester

Database and ki



Database andApplication Expert

NetworkingExpert

Ethical Hacker Report andDocumentation writer

Tiger Team

A tiger team is a group of people hired to give details of the l biliti t i th t vulnerabilities present in the system.

They are also called red teams, ethical hackers, penetration testers, and intrusion testers.intrusion testers.

This team prepares report on the vulnerabilities present in the system, attack methods, and how to defend them.

• To evaluate what level of host and network security is adequate.

Purpose:

• To test the resources of the organization and to submit the report on attacks, threats, and so on.

• To generate a real intruder’s attack without causing any damage to the system.



Building Tiger Team

Your tiger team should consist of the following personnel:

• Chief Penetration Tester (CPO)• Database and Application Expert

N t ki E t

following personnel:

• Networking Expert• Ethical Hacker• Data Analyst• Project Manager• Report and Documentation Writer

If you are hiring temporary consultants, be sure to check y g p y ,their background and their history.



Questions to Ask Before Hiring Consultants to the Tiger TeamConsultants to the Tiger Team

H h i d t i d th h ?How much industry experience do they have?

How much technical experience do they have?

Do they have a methodology?

Who will ultimately do the work?Who will ultimately do the work?

What is their reputation?

What is the final deliverable going to look like?



Meeting With the Client

Keep the client continuously informed about the projectKeep the client continuously informed about the project

Status meetings — during the engagementStatus meetings during the engagement

Deliverable template — sets client’s expectations for what the final d t i i t l k likdocument is going to look like



Kickoff Meeting

The penetration testing kickoff meeting attendance should

• Executive sponsor.• Key stakeholders involved in the testing

include the following people:

• Key stakeholders involved in the testing.• Tiger team conducting the assessment.



Penetration Testing Project Plan

The plan should consist of the following:

• A short description of the purpose of the project and must contain a statement of the benefit that doing the project will bring

Project definition:

• One or two sentences that state what problem or weakness the project will addressProject goal:

• A short list of objectives that have to be met to reach the project goalObjectives:

Quantification of the benefits of doing the project the success • Quantification of the benefits of doing the project, the success factor can be a detailed knowledge of the weaknesses in the organization's network

Success factors:

• Details of the strengths weaknesses opportunities and threats A i



• Details of the strengths, weaknesses, opportunities, and threats involved in the project, but simplicity is the keyAssumptions:

Project Plan Overview

Test Plan Overview

Company NameCompany Name

Project Title

Date

Scope

Test Plan Created by

Description



Work Breakdown Structure or Task List Task List

Developing a task list means breaking down a i f k i t it t t k piece of work into its component tasks.

Task status must be measurable.

Each task must be a clearly defined event with a clear start and a clear end.

Every task must have a deliverable.

• Where the tasks start and end• Time estimates

R i d t h t k

Example:



• Resources assigned to each task• Task dependencies

Penetration Testing Schedule

Details of the test schedule must be documented in a separate d li bl d d i h h i f j h d lideliverable and generated with the assistance of a project-scheduling tool.



Penetration Testing Project Scheduling ToolsScheduling Tools

• www.patrena.comEasy schedule maker

• www.aecsoft.comFastTrack schedule

• www gigaplan comGigaPlan net • www.gigaplan.comGigaPlan.net

• www.performancesolutionstech.comManagePro

• www.microsoft.comMicrosoft Project

• www.niku.comNiku

• www.openair.comOpenAir



• www.planview.comPlanView

Penetration Testing Project Scheduling Tools (cont’d)Scheduling Tools (cont d)

• www.rationalconcepts.comProj-Net

• www.projectkickstart.comProjectKickStart

www itgroupusa comProject Dashboard • www.itgroupusa.comProject Dashboard

• www.pacificedge.comProject Office

• www.timedisciple.comTime Disciple

• www primavera comVarious • www.primavera.comVarious

• www.axista.comXcolla



• www.ganttproject.bizGantt Chart

Test Plan Checklist



Penetration Testing Hardware/Software RequirementsHardware/Software Requirements

You will need the following hardware when conducting the test:

• Windows XP/2000/2003 virtual server• Red Hat Linux 9 • Wireless Access points

Laptop with the following:

• Keyloggers

• Wireless Access points• Wireless cards• Huge hard disk – preferably 160 GB

• Keyloggers• Jamming devices• Radio communication interceptors• Telephone spying devices• Wireless antennas

Devices:

• Hacking Tools CD-ROM (Linux Version)• Hacking Tools CD-ROM (Windows version)• Sniffing DevicesSoftware:



• Sniffing Devices• Penetration testing software – Core Impact• Vulnerability Assessment Tools

Software:

EC-Council’s Vampire Box

The Vampire Box checks the firewall and network anti-virus ft ' biliti software's capabilities.

No more guesswork or blind faith on the firewall systems.g y

Vampire Box is a powerful Enterprise-Class Solution, which:

• Blasts Trojans and backdoor programs onto the network.• Floods the network with Netbus, Back Oriffice, Netcat and other popular

p p p ,

, , p pTrojans.

• Attacks the firewalls and antivirus systems with viruses and worms.• Blasts the network with DoS packets and malformed TCP/IP packets.• Generates huge network traffic by flooding the wire with junk data



• Generates huge network traffic by flooding the wire with junk data.• Sends spywares and malicious programs onto the wire.

EC-Council’s Vampire Box (cont’d)(cont d)



Begin Penetration Testing

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d



Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Begin Penetration Testing (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

Summary

A test plan is a document that details the structure of conducting a A test plan is a document that details the structure of conducting a penetration test.

You should develop the scope of the project in consultation with the client.

Skills and knowledge required include:g q

• Project management. • Policy examiner.

h l• Technical examiner .

Developing a task list involves breaking down a piece of work into its component tasks.







LPTv4 Module 14 Penetration Testing Planning and Scheduling_NoRestriction

Documents

councils vampire box

penetration test plan

side application security

test plan

penetration test

application expert

documentation writer

rights reserved