PenTest: Security Audit Methodologies

Description

Dear PenTest Readers,

In this issue we discuss security audit methodologies. You can read about different approaches and techniques that are used in cybersecurity and penetration testing.

Our articles describe skills required to audit and test network security. You will find answers about what are the best tools to use and how to document results. Moreover you can read an interview with A. Tabish, who has been involved in risk assesment for about 10 years. This issue includes also articles about information security regulation in Spanish public departaments, article about ISO/IEC 27002 and many more!

Enjoy your reading,
PenTest Magazine’s
Editorial Team

---

Table of contents:

---

Audit and networking security. A band of steel?
by Bruce Williams

This article describes the skills and knowledge required to audit and test network security in an information and communications technology (ICT) network. Superman uses his special powers to identify the critical points in the organization’s network structure. An auditor (no jokes about auditors looking like Clark Kent please) needs a model of the system. The aim for both of these roles is to provide a band of steel around the organization’s data.

---

Pentest tool shootout
by Bruce Williams 

I was first asked by a student what is the best pen test tool to use? I replied that depends on the vulnerability that you are looking for. The Web Test Frameworks such a Samurai and Kali Linux, are examples of a collection of tools which are designed to detect vulnerabilities. Which tool in these collections is best would depend on what you are trying to find.

---

Pentesting Methodology
by Claudia Dehelean 

Penetration tests are a component of a full security audit, which should be held once every six months or at least once per year or after major changes. It has the role of determining the degree of vulnerability of a system exposed to attacks, the sufficiency and efficiency of defenses, and identifying which particular defenses the test defeats in case that happens. Every security issue investigated and uncovered is to be reported to the system owner. Each test concludes with a report, which indicates the potential impact to the organization and suggests the proper countermeasures that are necessary in order to reduce risks.

---

Interview with Ali Tabish 

"Since complete security starts from physical and ends up at the application layer, we may be required to use different popular methodologies at different levels. Some methodologies are open source, like OSSTMM, OWASP, NIST, and some are proprietary, like McAfee Foundstone, IBM, etc. For a quick reference, at network & operating system level, we usually follow Open Source Security Testing Methodology Manual (OSSTMM) & for web applications, we go for Open Web Application Security Project (OWASP). This isn’t the end, real testing also requires good experience and knowledge for convention case testing, specially required in mobile apps and the latest cutting edge applications."

---

Pentesting Methodologies
by Chrissa Constantine

pentesting methodology is required to conduct the pentest in a consistent and standardized way for repeatable results. The penetration tester carefully documents results and states the risks and findings in a final report. The
methodology is needed to define logical steps in performing a test. The tester will need to know what the client plans to provide regarding information or access to the organization.

---

New security threats need a new approach to PenTesting methodologies
by Simon Wessledine 

In the past, many organisations have relied on an annual or maybe a quarterly pentest to provide the assurance that their network defences are working effectively. This is fine from a compliance perspective but as we all know there is a big difference between being compliant and being secure. Today’s exponential growth in new and more sophisticated threats and the breakdown of the traditional network perimeter means that a more dynamic approach to the way businesses assess their network security posture is needed if companies are to be confident that their defence-in-depth strategies are working 24/7 as designed.

---

Information security regulation in Spanish public departments
by Vanessa Gonzalez 

In 2007, the Spanish government regulated the electronic access for citizens to public services through 11/2007 law. In this regulation, specifically in article 42.2, it is said that the National Security Scheme's objective is to establish the security policy in the use of electronic media, which are taken into account in the scope of this regulation.

---

What is ISO/IEC 27002?
by Junior Carreiro 

The ISO/IEC 27002 framework is complete and it can be audited throughout all sectors of the company. We can see below, it has audit guidelines ranging from the human resources sector, to the area technique, which is our focus here.

---

Risk Assessment Methodology
by Azza Nafti 

Risk is part of all human activity in a complex and constantly changing world. In order to face it, we must implement various preventive actions. However, these actions can have insufficiently mastered risk.
In this context, we will introduce a risk management approach that aims to reduce risk to an acceptable level.

---

Security Audit Methodology
by Mayur Agnihotri

The selected methodology should recognize, dissect and organize security chances that could trade off the classification, respectability and accessibility of information. Furthermore, the methodology should identify and recognize existing controls, insufficient controls and controls that are missing through and through.