Nice presentation made in Hack3rCon 2010

The original videos can also be found here

Resume

Purpose and goals of the pentest (the customer may not know or be wrong)

  • What is running your business?

Why?

  • attack vectors
  • evaluate the controls
  • potential vulnerabilities
  • find real threats to the organization
  • It must be a repeatable process and easy to explain
     (the methodology is important)
  • perhaps a security review can be done instead of a pentest
     (A pentest in a really insecure place is not worthy)

Scope

  • which targets how can you attack and how?
  • what are you authorized to do versus real world?

Methodologies

  • Open Source Security Testing Methodology
  • ISECOM
  • Crime Prevention Through Environmental Design

Threat Source Analysis

  • actors
  • Funding, motivation and time

Method

  • research
  • reconnaissance (google maps :D )
  • planning
  • execution
  • extraction
  • Wrap Up

Real world examples

Reporting

Being catched by the Police :D

Recommended reading

Training