Penetration testing auditability Alexandros Tsiridis & Stamatios - PowerPoint PPT Presentation

MSc System and Network Engineering Penetration testing auditability Alexandros Tsiridis & Stamatios Maritsas

What is the purpose of penetration testing auditability? Research questions  What are the sources of penetration testing auditability data?  What methods can be used to effectively audit these sources?  What methods can be used to store these data efficiently and practically?  How can penetration testing auditability enhance collaboration during penetration testing? Introduction to the research 2

Penetration testing is characterised as an Art.  It is not a standardised procedure meaning it cannot be fully automated.  Penetration testing auditability can not be automated.  Auditability though can be improved using a more structured methodology. Penetration testing 3

Identifying the sources of auditability data.  Manual Actions:  Command Line  Other Actions  Automated Actions:  Command Line tools  GUI tools Sources 4

Identifying the methods that can be used to effectively audit and store these sources.  Capture the command line streams  Screen shots  Screen casting  Log files and reports of automated tools  Manual notes  Centralized storage space Gathering and storing 5

Penetration testing auditability can enhance collaboration during penetration testing.  Planning  Task sharing  File sharing  Relation of files with tasks Collaboration 6

Proposed Methodology / Framework Framework 7

Prototype Architecture Prototype Architecture 8

Prototype Implementation Prototype Implementation 9

Demo 10

Number of pen testers 5 Results & Conclusion 4 3 Please rate how this system would 2 improve the performance of pen testing 1 auditability. 0 7 8 9 10 Mean: 7.75 Rate Median: 8 5 Number of pen testers 4 Please rate how this system would 3 improve the collaboration of pen 2 testers. 1 Mean: 7.5 0 Median: 7.5 5 6 7 8 9 10 Rate Please rate how this system would 5 Number of pen testers improve the quality and the quantity of 4 pen testing auditability data gathered. 3 2 Mean: 7.625 1 11 Median: 8 0 6 7 8 9 10 Rate

Questions 12

References  http://img10.deviantart.net/3ed0/i/2006/091/e/1/matrix_m ona_lisa_by_ninjakiller.jpg  Daniel Geer and John Harthorne. Penetration testing: A duet. In Computer Security Applications Conference, 2002. Proceedings. 18th Annual, pages 185-195. IEEE, 2002.  http://3vwuw21t7hbk3efr8u2h6dji.wpengine.netdna- cdn.com/wp-content/uploads/2013/03/software- security.jpg  http://www.dokeos.com/wp-content/uploads/2014/06/29- questions-test-Dokeos-FR.jpg  http://www.webops.com/wp-content/uploads/requst-a- demo.jpg References 13