© Crown Copyright (2000) Module 2.7 Penetration Testing.

Slides:



Advertisements
Similar presentations
© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
Advertisements

Keyboarding Vocabulary III Finals Study Guide Basic Computer.
Technical System Options
© Crown Copyright (2000) Module 2.3 Functional Testing.
16 August 2010© Crown Copyright (2010)1 Module 2.8 Assurance Continuity and Composition.
© Crown Copyright (2000) Module 2.4 Development Environment.
© Crown Copyright (2000) Module 3.1 Evaluation Process.
Security Requirements
© Crown Copyright (2000) Module 2.0 Introduction to Module 2.
© Crown Copyright (2000) Module 2.5 Operational Environment.
Module 1 Evaluation Overview © Crown Copyright (2000)
© Crown Copyright (2000) Module 3.2 Evaluation Management.
© Crown Copyright (2000) Module 2.2 Development Representations.
The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011.
Unit 14 Assessment Objective Three. Unit 14 Assessment Objective Three.
Effective Design of Trusted Information Systems Luděk Novák,
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
I NFORMATION L ITERACY R ESEARCH AND A SSESSMENT P APERS.
How to present a full analysis?  Initial decisions  Establishing the components of your analysis  Other arrangements of components  The basic pattern.
Business research methods: data sources
Computer Security: Principles and Practice
Installing software on personal computer
Administration. Session Objective Become familiar with: – Managing a mobile phone based assessment – Managing Phones (c) Smap Consulting Pty Ltd2.
Disaster DATA Recovery & Your System Personal Computer Catherine Agnew CEDu Oconomowoc.
The Project AH Computing. Functional Requirements  What the product must do!  Examples attractive welcome screen all options available as clickable.
VERSION 7 What’s to Come?. Workflow – Lifecycle Definition  Ability to define custom Lifecycles NEW BEING WORKED IN REVIEW WAITING FOR APPROVAL APPROVED.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
Information Systems Security Computer System Life Cycle Security.
Operations Security Lisa M. True, CISSP January 12, 2004 Domain 7.
International Labour Organisation Convention 180 – Article 5 Maritime Labour Convention 2006 – Regulation 2.3 including multi- language support. International.
Sysoft eRFP Group Decision Support System. eRFP is flexible and productive Every RFP is different Agencies have somewhat different processes Procurement.
XP New Perspectives on The Internet, Fifth Edition— Comprehensive, 2005 Update Tutorial 7 1 Mass Communication on the Internet Using Mailing Lists Tutorial.
INSERT BOOK COVER 1Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall. Exploring Microsoft Office Access 2010 by Robert Grauer, Keith.
MCTS Guide to Microsoft Windows Vista Chapter 4 Managing Disks.
1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
18 Copyright © Oracle Corporation, All rights reserved. Workshop.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.
Configuration Management and Change Control Change is inevitable! So it has to be planned for and managed.
Quality Control Review The Institute of Chartered Accountants of India.
Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
Module 4 Week 1 Dr Carol Azumah Dennis University of Hull.
Copyright (C) 2007, Canon Inc. All rights reserved. P. 0 A Study on the Cryptographic Module Validation in the CC Evaluation from Vendors' point of view.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Administration. Session Objective Become familiar with: – Managing a mobile phone based assessment – Managing Phones (c) Smap Consulting Pty Ltd2.
Welcome to the Adding/ Editing Users lesson for the North Carolina Immunization Registry. This lesson is only intended for Administrators.
Text Mining Special Interest Group Ron Behling, Bristol-Myers Squibb Novartis Institute for Biomedical Research, Cambridge, MA 6-8 th October 2004.
YOUR FESTIVAL START PLANNING IN MORE DETAIL. WORD DOCUMENT Transferred spider diagram and headings into a word document. Add more details to this document.
Chapter 4 Test Design Techniques MNN1063 System Testing and Evaluation.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
COMPUTER VIRUSES ….! Presented by: BSCS-I Maheen Zofishan Saba Naz Numan Sheikh Javaria Munawar Aisha Fatima.
QOF Assessor Validation Report Generator How to use the QOF Wizard Mouse-click your way through step-by-step instructions.
Module 10 – Scratch Project Scratch Project Getting Started.
How To Fix Excel Error ”Problem Sending The Command To The Program” On Windows 8 / 7?
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Managing the Circus The Vulnerability Management Circus Process and Presentation by Collin Shawler.
Chapter Objectives In this chapter, you will learn:
Software Testing With Testopia
Applied Software Implementation & Testing
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
Conducting the Assurance Engagement
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
IS4680 Security Auditing for Compliance
Have you seen this screen?
PRODUCTION PHASES CHANGES
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
This presentation document has been prepared by Vault Intelligence Limited (“Vault") and is intended for off line demonstration, presentation and educational.
Implementation reflection
Presentation transcript:

© Crown Copyright (2000) Module 2.7 Penetration Testing

You Are Here M2.1 Requirements M2.2 Development Representations M2.3 Functional Testing M2.4 Development Environment M2.5 Operational Environment M2.6 Vulnerability Analysis M2.7 Penetration Testing M2.8 Assurance Maintenance/Composition MODULE 2 - ASSURANCE

What is Penetration Testing? Based on Vulnerability Analysis –A search for vulnerabilities in the TOE or its intended operation –Analysis of their impact Tests formulated and run Exploitability of vulnerabilities determined

Where do the tests come from? Vulnerability Analysis Penetration Testing Design Analysis Functional Testing Operational Assessment

Types of Testing Positive –covered under functional testing Negative or destructive Compound testing –testing more than one aspect of functionality at once

Planning Should have most of the ideas before you start testing (on-site or in the CLEF) Formal test scripts may help Agree work split before you go Agree how tests will be documented

Be considerate to the developer Live system testing –save destructive tests for out-of-hours Their baby –be sensitive to their feelings ! –especially if on site Restore the TOE to a clean state

Additional Tests Inspiration during Penetration testing Know when to stop Record Test Activity and Progress

ITSEC and CC Requirements ITSEC –Requirement to Perform Penetration Testing for all assurance levels E1 - E6. CC –Requirement to perform Penetration Testing for assurance levels EAL2 - EAL7.

Typical Penetration Testing Form

Evaluation Reporting Tests Run Test Results Anomalies Conclusions

Summary Goal of Penetration Testing Refinement of Ideas from Vulnerability Analysis Plan Carefully Record Everything relevant for repeatability

Further Reading ITSEC Evaluation UKSP 05 Part III Chapter 3 CC Evaluation CC Part 3, Section 14 CEM Part 2, Chapters 6 to 8 (AVA sections)

Exercise - Penetration Tests System –User accessing command line shell from application –Administrator performing a privileged function without the action being audited Product –Boot up PC using floppy drive and access encrypted data –Recover a deleted file

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.