Vulnerability Mapping

Vulnerability Mapping

is a process of identifying and analyzing the critical security

flaws in the target environment. This terminology is also sometimes known as

vulnerability assessment

program through which the security controls of an IT infrastructure can be analyzed

against known and unknown vulnerabilities. Once the operations of information

gathering, discovery, and enumeration have been completed, it is time to investigate

the vulnerabilities that may exist in the target infrastructure which could lead

. It is one of the key areas of the vulnerability management

to a compromise of the target and violation of the confidentiality, integrity, and

availability of a business system.

 we will be discussing two common types of vulnerabilities,

presenting various standards for the classification of vulnerabilities, and explaining

some of the well-known vulnerability assessment tools provided under the

BackTrack operating system. The overall discussion of this chapter constitutes:

•

The concept of two generic types of vulnerabilities—local and remote.

•

to classify any vulnerability according to its unifying commonality pattern.

The vulnerability taxonomy pointing to industry standards that can be used

•

A number of security tools that can assist in finding and analyzing the

security vulnerabilities present in a target environment. The tools presented

are categorized according to their basic function in a security assessment

process. These include OpenVAS, Cisco, Fuzzing, SMB, SNMP, and web

application analysis tools.

Read More

Target Scoping

Target Scoping

is defined as an empirical process for gathering target assessment

requirements and characterizing each of its parameters to generate a test plan,

limitations, business objectives, and time schedule. This process plays an important

role in defining clear objectives towards any kind of security assessment. By

determining these key objectives one can easily draw a practical roadmap of what

will be tested, how it should be tested, what resources will be allocated, what

limitations will be applied, what business objectives will be achieved, and how the

test project will be planned and scheduled. Thus, we have combined all of these

elements and presented them in a formalized

goal. Following are the key concepts which will be discussed in this chapter:

scope process to achieve the required

•

the target environment through verbal or written communication.

Gathering client requirements deals with accumulating information about

•

include shaping the actual requirements into structured testing process, legal

agreements, cost analysis, and resource allocation.

Preparing test plan depends on different sets of variables. These may

•

penetration testing assignment. These can be a limitation of technology,

knowledge, or a formal restriction on the client's IT environment.

Profiling test boundaries determines the limitations associated with the

•

technical objectives of the penetration testing program.

Defining business objectives is a process of aligning business view with

•

penetration testing process with a proper timeline for test execution. This

can be achieved by using a number of advanced project management tools.

It is highly recommended to follow the scope process in order to ensure test

consistency and greater probability of success. Additionally, this process can also

be adjusted according to the given situation and test factors. Without using any

such process, there will be a greater chance of failure, as the requirements gathered

will have no proper definitions and procedures to follow. This can lead the whole

penetration testing project into danger and may result in unexpected business

interruption. Paying special attention at this stage to the penetration testing process

would make an excellent contribution towards the rest of the test phases and clear

the perspectives of both technical and management areas. The key is to acquire as

much information beforehand as possible from the client to formulate a strategic

path that reflects multiple aspects of penetration testing. These may include

negotiable legal terms, contractual agreement, resource allocation, test limitations,

core competencies, infrastructure information, timescales, and rules of engagement.

As a part of best practices, the scope process addresses each of the attributes

necessary to kickstart our penetration testing project in a professional manner.

As we can see in the preceding screenshot, each step constitutes unique information

that is aligned in a logical order to pursue the test execution successfully. Remember,

the more information that is gathered and managed properly, the easier it will be for

both the client and the penetration testing consultant to further understand the process

of testing. This also governs any legal matters to be resolved at an early stage. Hence,

we will explain each of these steps in more detail in the following sectionProject management and scheduling directs every other step of the

Read More

BackTrack testing methodology

BackTrack is a versatile operating system that comes with number of security
assessment and penetration testing tools. Deriving and practicing these tools without
a proper methodology can lead to unsuccessful testing and may produce unsatisfied
results. Thus, formalizing the security testing with structured a methodology is
extremely important from a technical and managerial perspective.
The BackTrack testing methodology we have presented in this section will constitute
both the black-box and white-box approaches. Either of these approaches can be
adjusted according to the given target of assessment. The methodology is composed
of a number of steps that should be followed in a process at the initial, medial, and
final stages of testing in order to accomplish a successful assessment. These include
Target Scoping, Information Gathering, Target Discovery, Enumerating Target,
Vulnerability Mapping, Social Engineering, Target Exploitation, Privilege Escalation,
Maintaining Access, and Documentation and Reporting.
Whether applying any combination of these steps with black-box or white-box
approaches, it is all left up to the penetration tester to decide and choose the most
strategic path according to the given target environment and its prior knowledge
before the test begins. We will explain each stage of testing with a brief description,
definition and its possible applications.
The illustration for the BackTrack testing process is also given below.
Target scoping
Before starting the technical security assessment, it is important to observe and
understand the given scope of the target network environment. It is also necessary to
know that the scope can be defined for a single entity or set of entities that are given to the
auditor. What has to be tested, how it should be tested, what conditions should be applied
during the test process, what will limit the execution of test process, how long will it take
to complete the test, and what business objectives will be achieved, are all the possible
outlines that should be decided under target scoping. To lead a successful penetration
testing, an auditor must be aware of the technology under assessment, its basic
functionality, and interaction with the network environment. Thus, the knowledge of an
auditor does make a significant contribution towards any kind of security assessment.
Information gathering
Once the scope has been finalized, it is time to move into the reconnaissance phase.
During this phase, a pentester uses a number of publicly available resources to
learn more about his target. This information can be retrieved from Internet sources
such as forums, bulletin boards, newsgroups, articles, blogs, social networks, and
other commercial or non-commercial websites. Additionally, the data can also
be gathered through various search engines such as Google, Yahoo!, MSN Bing,
Baidu, and others. Moreover, an auditor can use the tools provided in BackTrack
to extract network information about a target. These tools perform valuable data
mining techniques for collecting information through DNS servers, trace routes,
Whois database, e-mail addresses, phone numbers, personal information, and user
accounts. The more information that is gathered it will increase the chances for the
success of penetration testing.

Read More

Centos 5.3 virtual box image

--hello linux -assiut members
here is a link to download centos 5.3 virtual box image
http://sourceforge.net/projects/virtualboximage/files/CentOS/5.3/

click on centos-5.3-x86.7z the download will start
after the download is finish extract the file with winrar
then you will need virtual box software to run the image on your windows
here is the download link
http://download.virtualbox.org/virtualbox/4.0.2/VirtualBox-4.0.2-69518-Win.exe
download and install the software then create new machine
choose name and operating system
choose size of RAM for the machine 512 mb recommended
when choosing the harddisk there is a file named centos-5.3-x86.vdi
in the extracted folder use this file as harddisk
then follow to the end you now have your centos image to run

the username and password for centos
user: root
password: roottoor

Read More

Team work and team building essentials

Team building skills are critical for your effectiveness as a manager or entrepreneur. And even if you are not in a management or leadership role yet, better understanding of team work can make you a more effective employee and give you an extra edge in your corporate office.
A team building success is when your team can accomplish something much bigger and work more effectively than a group of the same individuals working on their own. You have a strong synergy of individual contributions. But there are two critical factors in building a high performance team.
The first factor in team effectiveness is the diversity of skills and personalities. When people use their strengths in full, but can compensate for each other's weaknesses. When different personality types balance and complement each other.
The other critical element of team work success is that all the team efforts are directed towards the same clear goals, the team goals. This relies heavily on good communication in the team and the harmony in member relationships.
In real life, team work success rarely happens by itself, without focused team building efforts and activities. There is simply too much space for problems. For example, different personalities, instead of complementing and balancing each other, may build up conflicts. Or even worse, some people with similar personalities may start fighting for authority and dominance in certain areas of expertise. Even if the team goals are clear and accepted by everyone, there may be no team commitment to the group goals or no consensus on the means of achieving those goals: individuals in the team just follow their personal opinions and move in conflicting directions. There may be a lack of trust and openness that blocks the critical communication and leads to loss of coordination in the individual efforts. And on and on. This is why every team needs a good leader who is able to deal with all such team work issues.
Here are some additional team building ideas, techniques, and tips you can try when managing teams in your situation.

• Make sure that the team goals are totally clear and completely understood and accepted by each team member.
• Make sure there is complete clarity in who is responsible for what and avoid overlapping authority. For example, if there is a risk that two team members will be competing for control in certain area, try to divide that area into two distinct parts and give each more complete control in one of those parts, according to those individual's strengths and personal inclinations.
• Build trust with your team members by spending one-on-one time in an atmosphere of honesty and openness. Be loyal to your employees, if you expect the same.
• Allow your office team members build trust and openness between each other in team building activities and events. Give them some opportunities of extra social time with each other in an atmosphere that encourages open communication. For example in a group lunch on Friday. Though be careful with those corporate team building activities or events in which socializing competes too much with someone's family time.
• For issues that rely heavily on the team consensus and commitment, try to involve the whole team in the decision making process. For example, via group goal setting or group sessions with collective discussions of possible decision options or solution ideas. What you want to achieve here is that each team member feels his or her ownership in the final decision, solution, or idea. And the more he or she feels this way, the more likely he or she is to agree with and commit to the decided line of action, the more you build team commitment to the goals and decisions.
• Be careful with interpersonal issues. Recognize them early and deal with them in full.
• Don't miss opportunities to empower your employees. Say thank you or show appreciation of an individual team player's work.
• Don't limit yourself to negative feedback. Be fare. Whenever there is an opportunity, give positive feedback as well.

Finally, though team work and team building can offer many challenges, the pay off from a high performance team is well worth it.

Read More