Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Crown Copyright (2000) Module 2.7 Penetration Testing.

Similar presentations

Presentation on theme: "© Crown Copyright (2000) Module 2.7 Penetration Testing."— Presentation transcript:

1 © Crown Copyright (2000) Module 2.7 Penetration Testing

2 You Are Here M2.1 Requirements M2.2 Development Representations M2.3 Functional Testing M2.4 Development Environment M2.5 Operational Environment M2.6 Vulnerability Analysis M2.7 Penetration Testing M2.8 Assurance Maintenance/Composition MODULE 2 - ASSURANCE

3 What is Penetration Testing? Based on Vulnerability Analysis –A search for vulnerabilities in the TOE or its intended operation –Analysis of their impact Tests formulated and run Exploitability of vulnerabilities determined

4 Where do the tests come from? Vulnerability Analysis Penetration Testing Design Analysis Functional Testing Operational Assessment

5 Types of Testing Positive –covered under functional testing Negative or destructive Compound testing –testing more than one aspect of functionality at once

6 Planning Should have most of the ideas before you start testing (on-site or in the CLEF) Formal test scripts may help Agree work split before you go Agree how tests will be documented

7 Be considerate to the developer Live system testing –save destructive tests for out-of-hours Their baby –be sensitive to their feelings ! –especially if on site Restore the TOE to a clean state

8 Additional Tests Inspiration during Penetration testing Know when to stop Record Test Activity and Progress

9 ITSEC and CC Requirements ITSEC –Requirement to Perform Penetration Testing for all assurance levels E1 - E6. CC –Requirement to perform Penetration Testing for assurance levels EAL2 - EAL7.

10 Typical Penetration Testing Form

11 Evaluation Reporting Tests Run Test Results Anomalies Conclusions

12 Summary Goal of Penetration Testing Refinement of Ideas from Vulnerability Analysis Plan Carefully Record Everything relevant for repeatability

13 Further Reading ITSEC Evaluation UKSP 05 Part III Chapter 3 CC Evaluation CC Part 3, Section 14 CEM Part 2, Chapters 6 to 8 (AVA sections)

14 Exercise - Penetration Tests System –User accessing command line shell from application –Administrator performing a privileged function without the action being audited Product –Boot up PC using floppy drive and access encrypted data –Recover a deleted file

Download ppt "© Crown Copyright (2000) Module 2.7 Penetration Testing."

Similar presentations

Ads by Google