Module 1 - Introduction
About This Course
 Why Perform Penetration Tests?
 Security Certifications
 Types of Pentesting

About This Course
Presenter Information
 Video Access
 Course Disks
 Network Configuration
 Certificate of Course Completion
 Course Support

About This Course

Presenter Information
 Thomas Wilhelm
○ ISSMP / CISSP / SCSECA / SCNA / SCSA / IAM
○ IT Industry: 15+ years
○ Security Industry: 7+ years
○ U.S. Army
 SIGINT Analyst / Cryptanalyst
○ Fortune 100
 Penetration Testing / Risk Assessments
○ Author
 “Penetration Tester’s Open Source Toolkit, Vol.2”
About This Course

Video Access
 30 days access to videos
○ Use login information provided when enrolled
 60 days to complete PenTest Document to
ISSAF standards
 http://heorot.net/instruction/PTF/
About This Course

Course Disks
 Disk 1.100
○ Used in Video Instruction
 Disk 1.101
○ Used in Hands-On Exercises & “Independent
PenTest Effort” for Course Completion Certification
 BackTrack
○ Used as Penetration Tester’s Toolkit
About This Course

Network Configuration
Configuration Issues:
•http://de-ice.net/index.php?name=PNphpBB2&file=viewforum&f=17
•Can be used in a virtual machine
About This Course

Certificate of Course Completion
 Awarded upon receipt and acceptance of
formal documentation of Independent PenTest
Effort
○ Meet ISSAF standards
○ “Independent PenTest Effort” uses Disk 1.101
○ Required material is covered in Module 4-8
About This Course

Certificate of Course Completion - Grading
 General Documentation – 250
 Management Summary
 Scope of the project (and Out of Scope parts)
 Tools that have been used (including exploits)
 Dates & times of the actual tests on the systems
 Identification of Weakness & Vulnerabilities – 650
 A list of all identified vulnerabilities
 Output of tests performed (screenshots or “script” text file)
 Action Points – 100
 Recommendation of what to mitigate first
 Recommended solution
About This Course

Course Support
 Email: training@heorot.net
○ Support 24x7
 Instructor: PTF@heorot.net
○ Online chat T,Th 9pm Eastern
 Also available by appointment
○ Available via phone by appointment
Why Perform
Penetration Tests?



Black Hat vs. White Hat
Code of Ethics
Legal Responsibilities
Why Perform
Penetration Tests?

Code of Ethics
 CISSP Code of Ethics Canons:
○ Protect society, the commonwealth, and the
infrastructure.
○ Act honorably, honestly, justly, responsibly, and
legally.
○ Provide diligent and competent service to
principals.
○ Advance and protect the profession.
Why Perform
Penetration Tests?

Black Hat vs. White Hat
 Black Hat:
 “A black hat is a person who compromises the security
of a computer system without permission from an
authorized party, typically with malicious intent”
- Wikipedia
 White Hat:
 “A white hat hacker, also rendered as ethical hacker, is,
in the realm of information technology, a person who is
ethically opposed to the abuse of computer systems”
- Wikipedia
Why Perform
Penetration Tests?

Legal Responsibilities
 Federal Mandates
○ SOX
○ HIPPA
○ FISMA, etc.
 State Mandates
○ California Senate Bill 1386
○ Many other states are following California’s
Example
Security Certifications



Generalized Knowledge
Appliance-Specific
Methodology
Security Certifications

Generalized Knowledge
 (ISC)2
 ISSMP / ISSAP / ISSEP / CISSP / SSCP
 Prosoft Learning
 Certified Internet Web Professional Program
 Designer / Administrator / Manager / Developer
 SANS Institute
 Global Information Assurance Certification
 GISF / GSEC / GCFW / GCIA / GCUX… and more
Security Certifications
Appliance-Specific
 CISCO
 CCSP / CCIE
 Check Point
 CCSA / CCSE
 RSA Security
 CSA / CSE
 TruSecure
 TICSA / TICSE
 Operating Systems
 SCSECA
 RHCSS
 MCSE: Security
Security Certifications

Methodology
 National Security Agency
○ IAM / IEM
 EC-Council
○ CEH
Types of Penetration Testing
Network
 Host
 Application
 Database

Types of Penetration Testing
Network
 Password
 WLAN Security
 Switches / Routers
 Internet User Security
 Firewall
 AS400
 Intrusion Detection
 Lotus Notes
 VPN
 Storage
Types of Penetration Testing

Host
 Unix / Linux
 Windows
 Novell Netware
 Web Server
Types of Penetration Testing

Application
 Web Application
 Source Code Auditing
 Binary Auditing
Types of Penetration Testing

Database
 Database Security
 Social Engineering
Module 1 - Conclusion
Why Perform Penetration Tests?
 About This Course
 Security Certifications
 Types of Pentesting
