From: Randy Pacheco (randy.pachecopsthawaii.com)
Date: Thu Jul 09 2009 - 14:17:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aloha,

I agree with the comments about a too long of a report makes no one want to
read. Even myself. It took us numerous times to change our report style
until we were able to come up with a style that works with the Credit Union
Executives, Board Members and their third party vendor that takes care of
their infrastructure. We did not want to tell them want to do but rather
showed the flaw, give feed back and talk about best practice. We learned
that Credit Union's will take your recommendations as face value and try to
do what you recommend. The issue here is that when you recommend and the
Credit Union uses it they can come back to you and hold you responsible for
the recommendation if they were to get compromised. We did not want to be
in that situation so we stepped back and used the words "Best practice"
which does cover us.

At the end of our report we use the Appendix to show the vulnerabilities in
different formats for ease of reading. In the actual body of the report we
only highlight the most important. But we also take it further. We look
for security policies, backup policies, Business continuity plan, User
polices, vendor policies, firewall policies, Website policies,
infrastructure documentation, inventory documents, user access policy and
PCI compliance training for employees. We feel if we are going to do an
assessment, the assessment would be as if we were the owners of the business
and what we would want to show the NCUA that we are complying.

On 7/8/09 6:12 AM, "fx0ne" <seyi.akingmail.com> wrote:

>
> Hi all,
>
> I have been an information security consultant/pen tester for about 6 years
> working with a company that has been an OSSTMM gold team member for about
> two years and been using the methodology for close to five years now even
> though we are mainly operating out of Africa where PT is still being
> regarded as some sort of "black art". Most of our clients are big financial
> institutions and conglomerates.
>
> Let me cut to the chase. I would like to share with you a VA/PT report
> framework that i came up with from my experience consulting in this field.
> It has a bias towards the OSSTM methodology (infact a few points were
> extracted from it's report). I do not know how reports are structured in
> other parts of the world, but i do know that other than the engagement
> itself, the report serves to justify the derived value around these parts.
>
> I have googled for sample reports but to say i came up short is a
> masterpiece of understatement. What i found were either too verbose and
> grandiose or downright shallow in content missing out salient but pertinent
> details in mostly audacious attempts at describing all the technical input
> and results - Detailed layout, logical flow and visual analysis are
> conspicuous only by their absence.
>
> I have always believed that in order to get inside the mentality, first we
> have to jettison the PT myth. Furthermore I am also of the opinion that a
> VA/PT report should be as simple and clear as it is concise and should cut
> across all strata of audience not just the technically minded.
>
> All these put together led me to put up what is the first draft of the Open
> Source Security Assessment Report (OSSAR v0.5) which i hope will complement
> the OSSTMM. This is something that will be updated as often as i can with
> new information. I will kindly request members of this group to download it
> and give an objective opinion on the material. I am very much interested in
> what this community thinks. Comments (+ve or -ve), suggestions and
> modifications are welcomed. A review by Pete will also be highly
> appreciated.
>
> This is a VA/PT report for a fictitious bank called eClipse Bank PLC carried
> out by another fictitious company Cynergi Solutions Inc. All names, URLs,
> IPs, etc are fictitious. Some of the vulnerabilities discussed have actually
> occurred for real but i have replaced all the pesky details.
>
> The report is attached or it can be downloaded at
> http://digitalencode.net/ossar/ossar_v0.5.pdf
>
> Looking forward to your feedback.
>
> Thank you

--
Randal Pacheco

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]