https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/37059#M24 <P><EM>Thanks!</EM></P> Wed, 08 Jul 2020 14:16:40 GMT EdSkinner1 2020-07-08T14:16:40Z https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/36924#M21 <P>Good Morning,</P><P>&nbsp;</P><P>We are reviewing our organization's information security posture, and we have a few questions that we would like to pose to the group:</P><P>&nbsp;</P><P>1) What activities does your organization engage in for the areas of penetration testing and/or ethical hacking?</P><P>&nbsp;</P><P>2) Which of these activities do you consider valuable (and would recommend), and what key risks are associated with implementing them?</P><P>&nbsp;</P><P>3) Are there other activities in these areas that you hope to implement in the future?</P><P>&nbsp;</P><P>We appreciate any feedback (if your feedback is too sensitive for posting, we'd be happy to email or setup a call, etc.).</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>-Ed</P> Thu, 02 Jul 2020 13:02:23 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/36924#M21 EdSkinner1 2020-07-02T13:02:23Z https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/36947#M22 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1190179283">@EdSkinner1</a>&nbsp;&nbsp;&nbsp; Try this consolidated link via OWASP and OSSTMM, NIST-800-115 etc:</P><P>&nbsp;</P><P><A href="https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies" target="_blank">https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies</A></P><P>&nbsp;</P><P>This should give you a good grounding and a baseline to determine what you want from Ethical Penetration Testing services and for contractual purposes and measurement.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Thu, 02 Jul 2020 23:38:46 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/36947#M22 Caute_cautim 2020-07-02T23:38:46Z https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/37020#M23 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1190179283">@EdSkinner1</a>&nbsp;</P><P>My former employer did a lot of research on and use of phishing attacks. My core advice on using phishing attacks as part of your EH set is to make sure it is set up as a training experience for the employees, and not a gotcha jump on them.</P><P>Also, make darn sure you pay special attention to targeting your whales.&nbsp;</P><P>&nbsp;</P><P>Good luck,</P><P>&nbsp;</P><P>Craig</P><P>&nbsp;</P> Tue, 07 Jul 2020 14:58:07 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/37020#M23 CraginS 2020-07-07T14:58:07Z https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/37059#M24 <P><EM>Thanks!</EM></P> Wed, 08 Jul 2020 14:16:40 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/37059#M24 EdSkinner1 2020-07-08T14:16:40Z https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/37060#M25 Thanks! Wed, 08 Jul 2020 14:17:06 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/37060#M25 EdSkinner1 2020-07-08T14:17:06Z https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/75046#M1233 Good Morning Ed,<BR /><BR />Thanks for reaching out! Here are my responses to the questions from a beginner’s perspective:<BR /><BR />1) In our organization, we do some basic penetration testing, like checking if our systems are secure from outside threats. We also test our web applications to see if there are any vulnerabilities that could be exploited. We’re just starting to explore ethical hacking practices to see where we can improve our security.<BR /><BR />2) I think these activities are really helpful because they allow us to spot weaknesses before anyone else does. One risk is that if the testing isn’t planned well, it could affect our systems. Also, handling the sensitive results of these tests requires caution to ensure they don’t fall into the wrong hands.<BR /><BR />3) Looking forward, we’d like to add more automated tools to regularly check our systems and keep our defenses up-to-date as new threats come up.<BR /><BR />Let me know if I can provide more information.<BR /><BR />Best regards,<BR />Kaisar Ahmed Sun, 10 Nov 2024 14:21:58 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Penetration-Testing-and-Ethical-Hacking/m-p/75046#M1233 Kaisar_Ahmed 2024-11-10T14:21:58Z