CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits
James S. Tiller
Format: PDF / Kindle (mobi) / ePub
CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits details the methodologies, framework, and unwritten conventions penetration tests should cover to provide the most value to your organization and your customers. Discussing the process from both a consultative and technical perspective, it provides an overview of the common tools and exploits used by attackers along with the rationale for why they are used.
From the first meeting to accepting the deliverables and knowing what to do with the results, James Tiller explains what to expect from all phases of the testing life cycle. He describes how to set test expectations and how to identify a good test from a bad one. He introduces the business characteristics of testing, the imposed and inherent limitations, and describes how to deal with those limitations.
The book outlines a framework for protecting confidential information and security professionals during testing. It covers social engineering and explains how to tune the plethora of options to best use this investigative tool within your own environment.
Ideal for senior security management and anyone else responsible for ensuring a sound security posture, this reference depicts a wide range of possible attack scenarios. It illustrates the complete cycle of attack from the hacker’s perspective and presents a comprehensive framework to help you meet the objectives of penetration testing―including deliverables and the final report.
remote users and systems themselves. Typically, evaluating the security of remote access systems is realized by performing a security assessment to find vulnerabilities rather than attempting to exploit them. Exploiting remote system vulnerabilities is possible, however, much more is gained by direct observation. 106 Government Regulations and Standards In recent years, we have seen the explosion of government involvement in establishing requirements for the protection of information and
into the coastal waters off Queensland, Australia. The persistence of a hacker cannot be truly replicated because there are simply different motivators between the attacker and the tester. The tester wakes up in the morning, goes to work, gets a cup of coffee, starts hacking, and at the end of the day goes home with little personal attachment to the engagement. Comparably, strong feelings such as fear, anger, bravado, 126 jealousy, and hatred increase the emotional investment of the hacker,
The key is determining the information to provide to the testers, when, and in what context relative to the other testers and phases. In a series multiphased attack, this is fairly simple because when one phase ends another starts, providing a direct correlation to the information timing. In contrast, in a parallel attack the flow of information and when one tester is privy to data collected by another can greatly affect the outcome of the test. In many cases companies will seek a parallel test
wild, where it matters most. It is only natural to conclude that an experienced hacker would have the necessary skills for performing hacking services. The practice of hiring hackers was commonplace during the early years of penetration testing when the skills of a traditional security consultant were in defending rather than attacking a customer’s network. In addition, for hackers it is an opportunity to meet their personal hunger for illicit activities but in a legitimized format while getting
paid handsomely. People choose various paths in life and the argument for reformed hackers for hire is 190 you cannot hold someone accountable for their historical activities. For example, if a criminal was captured and jailed for several years because he stole a car there is a level risk in hiring that person, although it is understood that he has paid his debt and should be offered the opportunity to reengage as a functioning part of society. It would be quite a different assumption if he