Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Crown Copyright (2000) Module 2.7 Penetration Testing.

Published byAdrian McDonald Modified over 10 years ago

Similar presentations

Presentation on theme: "© Crown Copyright (2000) Module 2.7 Penetration Testing."— Presentation transcript:

1 © Crown Copyright (2000) Module 2.7 Penetration Testing

2 You Are Here M2.1 Requirements M2.2 Development Representations M2.3 Functional Testing M2.4 Development Environment M2.5 Operational Environment M2.6 Vulnerability Analysis M2.7 Penetration Testing M2.8 Assurance Maintenance/Composition MODULE 2 - ASSURANCE

3 What is Penetration Testing? Based on Vulnerability Analysis –A search for vulnerabilities in the TOE or its intended operation –Analysis of their impact Tests formulated and run Exploitability of vulnerabilities determined

4 Where do the tests come from? Vulnerability Analysis Penetration Testing Design Analysis Functional Testing Operational Assessment

5 Types of Testing Positive –covered under functional testing Negative or destructive Compound testing –testing more than one aspect of functionality at once

6 Planning Should have most of the ideas before you start testing (on-site or in the CLEF) Formal test scripts may help Agree work split before you go Agree how tests will be documented

7 Be considerate to the developer Live system testing –save destructive tests for out-of-hours Their baby –be sensitive to their feelings ! –especially if on site Restore the TOE to a clean state

8 Additional Tests Inspiration during Penetration testing Know when to stop Record Test Activity and Progress

9 ITSEC and CC Requirements ITSEC –Requirement to Perform Penetration Testing for all assurance levels E1 - E6. CC –Requirement to perform Penetration Testing for assurance levels EAL2 - EAL7.

10 Typical Penetration Testing Form

11 Evaluation Reporting Tests Run Test Results Anomalies Conclusions

12 Summary Goal of Penetration Testing Refinement of Ideas from Vulnerability Analysis Plan Carefully Record Everything relevant for repeatability

13 Further Reading ITSEC Evaluation UKSP 05 Part III Chapter 3 CC Evaluation CC Part 3, Section 14 CEM Part 2, Chapters 6 to 8 (AVA sections)

14 Exercise - Penetration Tests System –User accessing command line shell from application –Administrator performing a privileged function without the action being audited Product –Boot up PC using floppy drive and access encrypted data –Recover a deleted file

Download ppt "© Crown Copyright (2000) Module 2.7 Penetration Testing."

Similar presentations

© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.

© Crown Copyright (2000) Module 2.6 Vulnerability Analysis.
Keyboarding Vocabulary III Finals Study Guide Basic Computer.

Keyboarding Vocabulary III Finals Study Guide Basic Computer.
Technical System Options

Technical System Options
© Crown Copyright (2000) Module 2.3 Functional Testing.

© Crown Copyright (2000) Module 2.3 Functional Testing.
16 August 2010© Crown Copyright (2010)1 Module 2.8 Assurance Continuity and Composition.

16 August 2010© Crown Copyright (2010)1 Module 2.8 Assurance Continuity and Composition.
© Crown Copyright (2000) Module 2.4 Development Environment.

© Crown Copyright (2000) Module 2.4 Development Environment.
© Crown Copyright (2000) Module 3.1 Evaluation Process.

© Crown Copyright (2000) Module 3.1 Evaluation Process.
Security Requirements

Security Requirements
© Crown Copyright (2000) Module 2.0 Introduction to Module 2.

© Crown Copyright (2000) Module 2.0 Introduction to Module 2.
© Crown Copyright (2000) Module 2.5 Operational Environment.

© Crown Copyright (2000) Module 2.5 Operational Environment.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
© Crown Copyright (2000) Module 3.2 Evaluation Management.

© Crown Copyright (2000) Module 3.2 Evaluation Management.
© Crown Copyright (2000) Module 2.2 Development Representations.

© Crown Copyright (2000) Module 2.2 Development Representations.
The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011.

The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011.
Unit 14 Assessment Objective Three. Unit 14 Assessment Objective Three.

Unit 14 Assessment Objective Three. Unit 14 Assessment Objective Three.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
I NFORMATION L ITERACY R ESEARCH AND A SSESSMENT P APERS.

I NFORMATION L ITERACY R ESEARCH AND A SSESSMENT P APERS.
How to present a full analysis?  Initial decisions  Establishing the components of your analysis  Other arrangements of components  The basic pattern.

How to present a full analysis?  Initial decisions  Establishing the components of your analysis  Other arrangements of components  The basic pattern.
Business research methods: data sources

Business research methods: data sources

Similar presentations

Ads by Google