Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Penetration Testing: Re: CoBIT a Security Audit Framework?

Re: CoBIT a Security Audit Framework?

From: <hightch0_at_netscape.net>
Date: Tue, 02 Dec 2008 11:44:10 -0500

Hi. You can try the "IS Auditing Procedure: P08 Security Assessment -
Penetration Testing and Vulnerability Analysis" document at the ISACA
web page, it describes a process to execute a pentest aligned to CobiT,
also you can add some features from OSSTMM or NIST to obtain a more
global pentest process. I think you need to obtain the ISACA membership
to download the mentioned document (there are some free), however the
membership is a good investment because you will have access to a lot
of resources that helps in our daily job.

I hope this information helps, regards from Mexico.

Jose Luis Aparicio C.
CISA, CISM, CGEIT, ISO 27001 PA

-----Original Message-----
From: J. Oquendo <sil_at_infiltrated.net>
To: Jon Kibler <Jon.Kibler_at_aset.com>
Cc: pen-test_at_securityfocus.com
Sent: Mon, 1 Dec 2008 1:52 pm
Subject: Re: CoBIT a Security Audit Framework?

On Mon, 01 Dec 2008, Jon Kibler wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> <rant>
>
> And what REALLY gets me is that organizations expect you to be able to
> do a PEN TEST using CoBIT! When I explain that something like OSSTMM
is
> a more correct framework for a PEN TEST (or even NIST 800-115 or
> 800-53A), they don't want to hear it -- its gotta be CoBIT! They have
so
> many misunderstandings as to what CoBIT is and is not useful for, it
is
> incredible -- and they are not interested in learning anything
different.
>
> Who / what is driving this "CoBIT is the only acceptable IT Security
> audit framework" mentality and what can we do to change it?
>
> </rant>

I should have been a little more clear on my initial post so
apologies for the second email on this. You're comparing
apples and oranges here. ISECOM's OSSTMM framework is great
for the penetration tester and for the testing methodologies
used, especially for the verification purposes however it is
solely a pentesting framework. Your client is probably under-
clued with the differences and wants to maintain CoBIT
compliance, keeping in tune with the checks and balances of
CoBIT's framework.

If you have the modules' information, they correlate them
for your client on how you will match them up so they can
understand the difference in your testing and how it maps
into the CoBIT framework. In either case of whatever a
company is choosing, there will be overlap, there will be
one over the other, but the bottom line for those asking
for it is likely a need to maintain compliance with the
CoBIT framework. It is a lot more than meets the eye and
is well structured on the information security scale to
both macro and micro manage many portions of security
frameworks.

Irrespective of the testing methodologies used, there is
one end result and its this result that is likely what
your client is worried about. Cobit maps most of the
given frameworks and models and exceeds a lot of them,
when you understand it a little better, you'll likely
see the disconnect in someone asking for a pentest to
help make sure the company is CoBIT compliant:

Search ISACA for the term mapping it will give you a
clearer picture of the mappings and overlap with the
following:

ITIL, CMM, ISO 17799, PMBOK, PRINCE2, NIST SP800-53, TOGAF

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire

227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Received on Dec 02 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]