Process Flow:  Understanding the
Penetration Test and Vulnerability Assessment

Begin Background Object notes: Why conduct Pen Test/Vulnerability Assessments - More Reliance on IT - Homogenity of systems and applications - More sophisticated hacker - Failure to change default configuration settings - Security is an afterthought Objectives Approach Phases Deliverables Assumptions Object notes: 1. Cooperation and agreements between client, service provider, host provider, ISP, etc. to ensure successful completion of PenTest/Vulnerability Assessment. 2. Tasks include identifying potential and actual problem areas, providing alternatives and recommendations; tasks do not include implementing alternatives and/or recommendations. 3. Pen Test/Vulnerability Assessment team will notify client of any current and/or potential adverse impact on client's IT environment as discovered by and/or created by the study. End Determine Vulnerabilities Object notes: External Penetration (Internet Hackers) Internal Penetration (intranet, untrusted link/network) External Pen Test Internal Pen Test Object notes: - Intranet Based (within enterprise) - Security Review (policies, standards, procedures) - Access Control - Authentication Probe Security Perimeter Object notes: - Firewalls - DMZ - Routers - FTP - Applications - Dial-ups - eMail Fact Gathering - Detail available in the purchased product Port Scans - Detail available in the purchased product Vulnerability Scans - Detail available in the purchased product Manual Probes - Detail available in the purchased product Current Hacker Techniques & Exploitations - Detail available in the purchased product Network Vulnerabilities - Identified information leaks, potential problems, and exploitable vulnerabilities must be reported to the client and rated based on criticality. Specific Technical Mitigations - Specific mitigations for all potential or real threats will be provided. Network Architecture Recommendations - Recommendations for a long-term security strategy will be provided to meet industry best practices and standards. Position pointer over block for detail - More detail included in purchased product