iVolution Secutity Technologies United States  United Kingdom   |  Home  Contact  Customer Services

Training Overview

Courseware

Training Partners

Register

Locations

Course Profile

Framework for Information Security Testing - FIST
Code : SEC705
Length : 2 Days
Course Schedule: CLICK HERE
Course Costs
$1,895.00 USA
$1,955.00 Canada
£1,200.00 UK

The NETalert Curriculum

Our curriculum has been developed upon actual penetration testing and assessment experience. It has been designed to allow us to teach Security Professionals the in depth methodologies, models, tools and techniques required to perform comprehensive Information Security Penetration Tests and assessments. Our curriculum, which includes our premier Applied Penetration Testing, Network Security Assessment and Framework for Information Security Testing, covers engagement management and planning in addition to testing in all modern infrastructures, operating systems and application environments. Our focus is not only on the technology but the identification of resources crucial to a successful assessment and test. It takes you into the culture of the Security Professional in which you receive an intensive learning experience.

Course Summary

This two-day course is designed to give information technology (IT) and network managers the practical knowledge and methodology required to effectively run a Penetration Test.

The FIST Framework goes beyond what normal methodologies in the penetration testing, ethical hacking encompass.  It addresses the logistics processes, planning, operations, rules of engagement and analysis required for successful testing. FIST examines testing from a strategic and tactical prospective  Critical issues are emphasized such as methodology over technologies, interpretation of results, testing procedures, engagement management and the role of teams. 

The course also focuses on management’s role in penetration testing and focuses on penetration team deployment at the strategic and technical levels employing the FIST methodology.  Students will gain a thorough understanding of Penetration Testing, Return on Investment (ROI), deliverables as well as the legal issues surrounding Penetration Testing. This course provides attendees with an in-depth understanding of the FIST model which includes the following elements:  Planning, Operations, Reconnaissance, Enumeration, Analysis, Exploitation, Deliverables and Integration.

Attendees will learn how to effectively leverage the FIST model to plan and manage a coordinated and planned controlled attack against enterprise class networks. Students will also learn how to integrate lessons learned from the attack to provide mitigation for network security issues

The course involves lecture/briefings, demonstrations, scenario-based exercises, and open discussion to help participants develop their understanding of the problems and strategies for security penetration testing.

Course Highlights

  • The FIST Framework
  • Understanding Business objectives and challenges
  • Building a roadmap
  • Project initiation
  • Managing the engagement
  • Engagement planning
  • FIST Phases
  • Planning a controlled attack
  • Understanding inherent and imposed limitations in testing
  • Required Knowledge
  • Attack types: Opportunistic and Targeted.
  • Understanding Attack source points and attack pivoting
  • Employing Multi-Phased attacks, series shared, series isolated
  • Attack groups and threads
  • Understanding the Pro's and Con's of Multi-phased attacks
  • Teaming and attack structure
  • Understanding teams : Red Team, Blue Team, White Team
  • Engagement Planning
  • Understanding the role of Law Enforcement
  • Preparing a 'hack'
  • Technical preparation
  • Attack Network Architecture
  • Data protection and management
  • Evasion tactics
  • Exploitation of services
  • Understanding vulnerability analysis
  • Final reporting and analysis
  • The Deliverable

Students are also provided with a CD containing tools used in the class.

Course Prerequisites

It is recommended that all students have at least a basic knowledge of TCP/IP as well as networking (as exhibited in Net+, CCNA®, CNA, or MCP) prior to enrolling in this
course.

Who should Attend

System and Network Administrators
Network Managers
Network Architects
Project Managers
Security and Firewall Administrators
Security Engineers
Professional Security Analysts
Chief Security Officers
Chief Intelligence Officers

Course Outline

The Problem
  • Defining a Penetration test
  • Value Perspective
  • Where does the Security Penetration Test fit
  • Legalities of pen testing
Security Models 
  • Computer Security
  • Network Security
  • Service Security
  • Application Security
  • Security Architecture
Information Security Program 
  • Scope of Information Security Programs
  • Processes of Information Security
  • Risk
  • Managing Risk
  • Processes
  • Security Programs
  • Risk Analysis / Penetration Testing
Business Rationalization
  • Business Objectives
  • Security Policies
  • Previous Results
  • Building a Roadmap
  • Business Challenges
  • Government Regulations and Standards
  • Why Penetration Testing
  • Third Party Prospective
  • Overall Expectations
  • Depth of Attack
The Fist Framework
  • Planning Phase
  • Operations
  • Reconnaissance
  • Enumeration
  • Analysis
  • Exploitation
  • Maintaining Access
  • Deliverable
  • Integration
  • Controls
Planning Controlled Attacks 
  • Limitations
  • Attack Types
  • Attack Source Point
  • Required Knowledge
  • Multi Phased Attacks
  • Parallel Shared
  • Parallel Isolated
  • Series Shared
  • Series Isolated
  • Leveraging Multi-Phase Tests
  • Teaming and Attack Structure
  • Engagement Planner
  • Logistics
  • Agreements
  • System / Data Integrity
  • Law Enforcement
  • Planning the ‘Hack” 
  • Technical Preparation
  • Data Protection and Management
  • Attack network Architectures
  • Engagement Management
Reconnaissance
  • Social Engineering
  • Prowling and Surfing
  • Corporate Identity Assumption
  • Physical Security
  • Internet Reconnaissance
  • Privacy Review
  • Document Grinding
  • Process Security
  • Network Surveying
  • Passive - Active Scanning
  • Technical Reconnaissance
  • Stealth
  • Intrusion Detection Prevention Systems (Identification) 
Enumeration  / Vulnerability Mapping
  • Enumeration Techniques
  • Soft Objectives
  • Elements of Enumeration
  • Network Services Identification
  • Network Services Verification
  • Preparing for the Next phase
  • Intrusion Detection Prevention Systems (Testing)
Vulnerability Analysis
  • Vulnerability Weight
  • Source Points
  • Vulnerability Research
  • Vulnerability Verification
  • Vulnerability Mapping
  • Reporting Dilemma
Exploitation
  • Evasion
  • Threads and Groups
  • Operating Systems
  • Root kits
  • Applications 
  • Customer Applications
  • War Dialing
  • WiFi Exploitation
  • Network Perimeter
  • Service areas of Concern
Final Analysis
  • Conclusions
  • Overall Structure
  • Results Alignment
  • Technical Measurement
  • Business Measurement
  • Presentation
  • Remedial
  • Tactical
  • Strategic
Deliverables 
  • Final Analysis
  • Potential Analysis
  • The Document
  • Executive Summary
  • Presenting findings
  • Planning and Operations
  • Vulnerability Ranking
  • Process Mapping
  • Recommendations
  • Exceptions
  • Limitations
Integration of Results 
  • Issues with Remediation Integration Summary
  • Mitigation of vulnerabilities
  • Defense Planning
  • Awareness Training
  • Awareness Programs
  • Incident Management
  • Response Teams
  • Security Policy Review
  • Data Classification
Controls 
  • Control Objectives
  • Audit Guidelines
  • Management guidelines
  • Plan and Organize
  • Define a Strategic IT Plan
  • Define the IT Processes,
  • Assess and Manage IT Risks
  • Manage Third-party Services
  • Ensure Systems Security
  • Educate and Train Users

"Through 2008, insiders, working alone or with outsiders, will account for the majority of financial losses from the unauthorized use of computers and networks."
Gartner Group