Tiller - CISOs Guide to Penetration Testing
Here you can read online Tiller - CISOs Guide to Penetration Testing full text of the book (entire story) in english for free. Download pdf and epub, get meaning, cover and reviews about this ebook. year: 2011, publisher: CRC Press, genre: Politics. Description of the work, (preface) as well as reviews are available. Best literature library LitArk.com created for fans of good reading and offers a wide selection of genres:
Romance novel
Science fiction
Adventure
Detective
Science
History
Home and family
Prose
Art
Politics
Computer
Non-fiction
Religion
Business
Children
Humor
Choose a favorite category and find really read worthwhile books. Enjoy immersion in the world of imagination, feel the emotions of the characters or learn something new for yourself, make an fascinating discovery.
CISOs Guide to Penetration Testing: summary, description and annotation
We offer to read an annotation, description, summary or preface (depends on what the author of the book "CISOs Guide to Penetration Testing" wrote himself). If you haven't found the necessary information about the book — write in the comments, we will try to find it.
Tiller: author's other books
Who wrote CISOs Guide to Penetration Testing? Find out the surname, the name of the author of the book and a list of all author's works by series.
CISOs Guide to Penetration Testing — read online for free the complete book (whole text) full work
Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "CISOs Guide to Penetration Testing" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.
Font size:
Interval:
Bookmark:
Getting Started
Hiring someone to hack your company goes by many names, such as ethical hacking, penetration testing, tiger teaming, intrusion testing, vulnerability analysis, and even security assessment. In addition, each term has different meanings in different countries or regions. The term penetrationtesting does not go over well in Central America and some places in the United States, whereas the term ethical hacking is not the preferred term in Western Europe. Tiger team is a derivative of a military term and I have heard it used in Taiwan and Japan, another place the use of the term ethical hacking, as the name of an act, does not go over well. Nevertheless, the most predominant term is penetrationtesting, more commonly referred to as pentesting.
The intention of this book is simple: explain and detail the methodologies, framework, and unwritten conventions pentests should exercise to provide the most value to organizations seeking to enhance their security posture.
There is a great deal of respect for other books of similar type, extensive training on the subject, and professional service organizations that provide pentesting services. All these convey valuable information pertaining to tools and processes on how to use them. However, it is critical that structure and process combine to ensure all parties recognize ultimate value and a company is not being tested under poor assumptions.
Security is a lot of things combined in many ways that will have varying degrees of impact, good and bad. This is a lesson in value and risk, and how they relate to pentesting. Within security, one must take into consideration the human element as much as the technical. Additionally, there are the pragmatic issues of value and risk, and their effects on business objectives.
There are several areas associated with pentesting that have yet to be addressed in their entirety. Following is a list of characteristics of pentesting and the gap associated with each. This book provides the framework and structure to address these fundamental issues.
Focusing on tools and technology, and very little on methodologyToday, there is a clear understanding of the use and availability of tools to support pentesting. Thanks to several popular references, the processes of technically performing a test are well documented and reasonably well established. However, organizations desperately need to understand the details in the overall processes and how to use the test and its results for the betterment of their security posture. This is the ultimate goal behind pentesting but, ironically, remains elusive and a rarity among the greater population of pentesting engagements.
Interpreting the resultsWhen a system is determined secure because it has survived a controlled attack, it does not necessarily mean that system is actually secure. The vast amount of assumptions, limitations, and expectations inherent in and applied to a test may result in inaccurate conclusions. Moreover, there are situations where the test resulted in voluminous amounts of vulnerabilities being identified, making it nearly impossible to weed through the information to find what really matters and effectively measure the risk. Another problem is that results are rarely integrated into the companys security program effectively and usually appear as ad hoc point solutions to solve an immediate need, such as a new firewall rule or another untracked policy statement. Those who do not perform insightful planning based on an established process typically do not realize the potential value a pentest can represent to the business. Understandably, a tests lack of comprehensive planning is the root cause of the questionable effectiveness of many tests.
Protecting the innocentPentesting requires breaking into computer systems or applications to demonstrate the risk of an identified vulnerability. By collecting specific information from the target, a tester can prove access was successful and reveal the risks associated with the exposure. The result is that highly sensitive information about the targets security capabilities (or the lack of them) is collected and maintained far outside the owners control. If this information were to fall into the wrong hands, it could be used to perpetrate a real attack against the company. Another risk is the information being leaked to the public or to stockholders who stand to lose their investment if the exposures represent a fundamental risk to the business. Information of this type can result in all types of disasters, including negative portrayals by the media, devaluation, loss of customers, or legal consequences. Also, there are several opportunities for the tester to accidentally inflict harm on intermediates, such as an Internet service provider (ISP), partners connected to the targets network, or customers interacting with the systems or applications under attack.
Politics and processesBreaking into a company can represent a substantial threat to the continued employment of several people within the organization. It is essential the test be performed to support the entire company and not an individual. In some cases, the deliverable pentest was not presented to the people who needed it most to make the necessary security improvements. Politics can play a major role in the planning of a test and the creation of limitations and expectations, ultimately affecting the outcome. Establishing a solid foundation of communication, expectations, imposed and inherent limitations, and metrics for the test will help to ensure the company benefits from the experience, not the individual.
Testing dangersThere are several dangers associated with penetration testing. These range from outages, system or application faults, and the destruction of information, to more ominous issues such as information leaks (when questionable resources are used to perform the engagement, possibly sharing critical information with others for status or money) and piggybacking (when a real hacker uses the tests activities to camouflage his attack). Proper teaming and communication protocols will protect both tester and target from inadvertently harboring illicit activities. Moreover, testing engagements are a prime source for teaching people how to break into networks, especially yours. Great care and attention must be paid to the people performing the test and to their ethics and responsibilities.
The audience for this book is ultimately senior and executive security management responsible for ensuring a sound security posture, and that investments in security, such as penetration testing, produce value and actionable results for the betterment of the organization. Managers who are looking to solicit third parties (or internal departments) to perform pentests against their networks, systems, applications, and even physical establishments are also beneficiaries of this book. Information security administrators, managers, directors, or anyone considering or responsible for obtaining penetration services can gain a great deal by employing a business-value, business-focused approach.
Information about what to expect from all phases of the test, from the first meetings to accepting the deliverable and knowing how to best use the results, is discussed. Elements detailed will help in identifying a good test from a bad one, or finding the value from what was perceived initially as a failure. Most important, organizations seeking penetration services will gain further insight into the appropriate measures and methodologies that should be practiced by a third party. Finally, this book provides guidance in setting test expectations: What are your expectations? What do you think the results will show? Are you prepared for Pandoras box to be opened? Understanding the details of a test will provide unequalled insight, and, most important, business value to any company.
Font size:
Interval:
Bookmark:
Similar books «CISOs Guide to Penetration Testing»
Look at similar books to CISOs Guide to Penetration Testing. We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.
Discussion, reviews of the book CISOs Guide to Penetration Testing and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.