iVolution Secutity Technologies United States  United Kingdom   |  Home  Contact  Customer Services

Training Overview

Courseware

Training Partners

Register

Locations

Course Profile

Applied Penetration Testing
Code : SEC710
Length : 5 Days
Course Schedule: CLICK HERE
$3,995.00 CDN
$3,995.00 USA
£2,100.00 GBP

The NETalert Curriculum

Our curriculum has been developed upon actual penetration testing and assessment experience. It has been designed to allow us to teach Security Professionals the in depth methodologies, models, tools and techniques required to perform comprehensive Information Security Penetration Tests and assessments. Our curriculum, which includes our premier Applied Penetration Testing, Network Security Assessment and Framework for Information Security Testing, covers engagement management and planning in addition to testing in all modern infrastructures, operating systems and application environments. Our focus is not only on the technology but the identification of resources crucial to a successful assessment and test. It takes you into the culture of the Security Professional in which you receive an intensive learning experience.

The Framework for Information Security Testing - FIST

You will be trained using the Framework for Information Security Testing (FIST) – The Framework provides a rigorous and thorough approach to security testing.

The FIST Framework goes beyond what normal methodologies in the penetration testing, ethical hacking encompass.  It goes beyond the technical aspects of a penetration testing to address the logistics processes, planning, operations, rules of engagement and analysis required for successful testing. FIST examines testing from a strategic and tactical prospective.  Critical issues are emphasized such as methodology over technologies, interpretation of results, testing procedures, engagement management and the role of teams.  Each step in the process is weighted against associated risks and inherent limitations and examines the appropriate controls that should be in place to mitigate them.  

The framework provides a foundation for managing the entire engagement by embedding processes. It provides a foundation and opportunity to thoroughly investigate test options and determine their impacts to testing value. It establishes a processes and interaction between technical elements of an engagement with inherent limitations of a penetration test.

FIST provides a comprehensive focused framework for security testing.

Course Summary

In this course students will learn the necessary skills and ethics to be an efficient and resourceful Penetration Tester. This highly interactive 5 day course teaches standardized methodologies and models, and integrates cutting edge techniques used in Penetration Testing. This highly interactive 5 day course teaches standardized methodologies and models, and integrates cutting edge techniques used in Penetration Testing.

Students will be able to perform the intensive and exhaustive assessments
required to effectively identify and mitigate security risks. You will learn how to design, secure, and test networks to protect an organization from the real threats hackers and crackers pose, using the same tools they employ.

Course Highlights

Interactive security testing labs and case studies that encompass:

  • The FIST framework
  • Understanding Defense in Depth
  • Understanding the Threat
  • Using "hacker" tools
  • Exploit research
  • SSL Tunneling
  • Footprinting the Internet presence
  • Document grinding
  • Manual exploitation of devices and services
  • Perimeter security testing Assess router vulnerabilities
  • Advanced Firewall identification techniques
  • Understanding firewall vulnerabilities
  • Enumerating router and firewall ACL’s
  • Bypass router and firewall filtering Tunneling Attacks
  • Wireless network security
  • Automated vulnerability scanners
  • Automated attack and exploit frameworks such as Metasploit and Core Impact
  • Attack pivoting
  • Advanced scanning techniques
  • Service enumeration techniques
  • OS identification - active and passive
  • Scanning for Web vulnerabilities
  • Intrusion Detection (IDS / IPS) evasion techniques
  • Advanced network attacks
  • Windows network penetration
  • Advanced network attacks - Cisco router penetration
  • VoIP Security
  • Password cracking Privilege escalation
  • Root kits and backdoors
  • Producing Penetration
  • Testing Reports

Students are also provided with a CD containing tools used in the class.

Course Prerequisites

It is recommended that all students have at least a basic knowledge of TCP/IP as well as networking (as exhibited in Net+, CCNA®, CNA, or MCP) prior to enrolling in this
course. Students should also have a working knowledge of the Linux operating system but it is not critical.

Who should Attend

System and Network Administrators
Network Architects
Security and Firewall Administrators
Security Engineers
Professional Security Analysts
Chief Security Officers
Chief Intelligence Officers

Course Outline

The Need for Information Security
  • Environmental complexity
  • Information Security and the Internet
  • Understanding Risk
  • Simplified Risk Assessment
  • Minimizing and Mitigating Risk
  • Security Postures

Attacker Stratification
  • Information warfare
  • Information Warriors
  • National Intelligence Collectors
  • Business Intelligence Collectors
  • 3rd Party Consultants / Vendors
  • Terrorists
  • Organized Crime - Cyber Cartels
  • Current and Former Employees
  • Hackers
  • Attacker Motivations
  • Attacker Methods
  • Intrusion Profiles

Attack Goals and Methodologies

 
  • Direction of Internet Security
  • New Wave of Hacking
  • Exploit Goals
  • Exploit Techniques
  • Exploit Methodologies
  • Information Leakage
  • Attack Recovery

FIST

  • ROI
  • Setting expectations
  • Testing Limitations
  • Applying the model
  • Engagement Management
  • Planning
  • Operations
  • Enumeration
  • Analysis
  • Exploitation
  • Deliverables
  • Intergration
  • Final anaysis
  • The final report

Professional Security Testing
  • Understanding Professional Security Testing
  • Legislation and the Law
  • Ethics in Security Testing
  • Best Practice Compliance
  • Setup Strategies
  • Rules / Team Setup
  • Attack Resources
  • Scheduling Requirements
  • Pre-Test Assessment
  • Phases of Penetration Testing
  • The Security Presence
  • Rules of Engagement
  • Building an Attack Server
  • Building an Attack Network

Information Gathering and Research

 
  • Competitive Intelligence (CI)
  • Privacy Review
  • Document Grinding
  • Advanced Web Grinding
  • Google “Hacking”
  • Discovering Critical Information
  • Port Scanning Techniques
  • Service Protocol Interrogation
  • Advanced OS Fingerprinting
  • Advanced Service Discovery
  • Internet Core Protocols
  • Advanced Protocol Manipulation
  • Identifying Points of Attack

Perimeter Security Testing
  • Understanding Defense in Depth
  • Understanding ACL’s, Firewalls
  • and Trusted Systems
  • DMZ’s, Layered Networking,
  • and Advanced Network Design
  • Router Security Testing
  • Firewall Security Testing
  • Firewall ACL Policy Determination
  • Trusted System Testing
  • Common Misconfigurations Problems

Advanced Enumeration and Assessment
  • Advanced Windows Network Services
  • Enumeration
  • Advanced UNIX Enumeration
  • Advanced Email Enumeration
  • Advanced VPN Enumeration
  • Advanced Web Service Enumeration
  • SSL Tunneling
  • VoIP Security

Vulnerability Testing / Research
  • Ongoing Vulnerability Research / CVEs
  • The Role of an Automated
  • Vulnerability Assessment Tool
  • Automated Vulnerability Testing in the
  • Enterprise
  • Open Source Assessment Tools
  • Commercial Assessment Tools
  • Hacker Tools

Automated Penetration Testing
  • Automated Penetration Testing
  • Leveraging Automation - Metasploit and Core Impact
  • Automated Tools and Techniques
  • Professional Exploit Frameworks

Architectural Vulnerabilities
  • Capturing Network Traffic
  • Common tools and techniques
  • Spoofing and Hijacking
  • Wireless Security and testing
  • VoIP Security

Operating System and Application Vulnerabilities
  • Installation Issues
  • Authentication Systems and Testing
  • Application Security Testing
  • Web Application Hacking and Security Testing
  • Privilege Testing

Firewalls
  • Firewall Identification
  • Packet Filtering
  • Vulnerabilities and Default Ports
  • Advanced Firewall Discovery
  • Firewall Security Testing
  • Firewall / ACL Policy Determination

Covert Channels
  • Employing covert channels
  • Tools and techniques
  • Bypassing firewall rule sets

Rootkits and Backdoors
  • Rootkits and how they work
  • Rootkits in the wild
  • Rootkit file replacement
  • Identifying rootkits
  • Trojans / backdoors

Intrusion Detection / Prevention Systems
  • Understanding IDS / IPS
  • Network-based IDS
  • Host-based IDS
  • IDS Testing
  • IDS Evasion
  • Containment Testing

Honeypots and Honeynets
  • What are they
  • Their Use
  • Honeypots resources

Penetration Testing through Social Engineering
  • Security Policies
  • Social Engineering Goals
  • Social Engineering Techniques

Security Test Reports
  • What to include / organization
  • Report Writing
  • Report Delivery
  • Remediation Workshops

"Through 2008, insiders, working alone or with outsiders, will account for the majority of financial losses from the unauthorized use of computers and networks."
Gartner Group