penetration tester · 2019-09-25 · security for an organization and its people. list the skills...

Penetration Tester

Model Curriculum

Penetration Tester

SECTOR: SUB-SECTOR: OCCUPATION:

REF ID: NSQF LEVEL:

IT-ITeS IT SERVICES INFORMATION/CYBER SECURITY SSC/Q0912, V1.0

7

Penetration Tester

Penetration Tester

TABLE OF CONTENTS

1. Curriculum 01

2. Trainer Prerequisites 12

3. Assessment Criteria 13

Penetration Tester 1

Penetration Tester

CURRICULUM / SYLLABUS

This program is aimed at training candidates for the job of a “Penetration Tester”, in the ‘’IT-ITeS’’

Sector/Industry and aims at building the following key competencies amongst the learner

Program Name Penetration Tester

Qualification Pack Name & Reference ID.

SSC/Q0912 Version 1.0

Version No. 1.0 Version Update Date 01/04/2018

Pre-requisites to Training

Graduate in any discipline preferably Science/Computer Science/ Electronics and Engineering/Information Technology

Training Outcomes After completing this programme, participants will be able to:

Test, run exploits to identify vulnerabilities in networks.

Identify and analyse exposures and weaknesses in applications and their deployments.

Make reports based on test results and make enhancements to existing security solutions.

Manage your work to meet requirements.

Work effectively with colleagues.

Maintain a healthy, safe and secure working environment.

Provide data/information in standard formats.

Develop your knowledge, skills and competence.


This course encompasses 8 out of 8 National Occupational Standards (NOS) of “Penetration Tester”

Qualification Pack issued by “IT-ITeS SSC”.

Sr. No. Module Key Learning Outcomes Equipment Required

1 IT-ITES/BPM Industry – An Introduction Theory Duration (hh:mm) 06:00 Practical Duration (hh:mm) 01:00 Corresponding NOS Code Bridge Module

Establish the nature and scope of IT-ITeS/BPM Industry with their sub-sectors.

Collate information, evidence, and artifacts regarding the IT-ITeS/BPM industry.

Explain the various sub-sectors of the IT-ITeS industry.

Identify the processes involved in maintaining and managing the IT-ITeS/BPM industry with their sub-sectors.

Define the key trends in the IT-ITeS industry

Review the scope of the industry with appropriate people and incorporate their inputs.

Whiteboard and Markers.

LCD Projector and Laptop for presentations.

Lab equipped with the following: -PCs/Laptops, Internet with Wi-Fi (Min 2 Mbps Dedicated), Networking Equipment, Routers & Switches, and Chart paper and sketch pens.

2 IT Services – An Introduction Theory Duration (hh:mm) 03:00 Practical Duration (hh:mm) 01:00 Corresponding NOS Code Bridge Module

Identify the various categories of services and sub-sectors under the IT industry along with their scope.

Explain the importance of the IT sector in any organization.

Provide immediate support to appropriate people for maintaining IT services in an organization.

Participate in discussions/ review meetings, as required for managing IT services.



Lab equipped with the following: - PCs/Laptops, Internet with Wi-Fi (Min 2 Mbps Dedicated).

3. Information/Cyber Security – An Introduction Theory Duration (hh:mm) 05:00 Practical Duration (hh:mm) 04:00 Corresponding NOS Code Bridge Module

Explain the importance of cyber security in line with societal benefits.

Describe the roles and responsibilities of a penetration tester.

State the benefits of cyber security for an organization and its people.

List the skills and competencies expected from a penetration tester.

Provide an overview of cyber security and their roles.

Draw a career map of opportunities available with the cyber security field.


Chart paper and sketch pens.

Lab equipped with the following: - PCs/Laptops, Internet with Wi-Fi (Min 2 Mbps Dedicated).


4. Fundamentals and need for Vulnerability Assessment and Penetration Testing Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N0925

Establish an individual’s role and responsibilities in contribution to managing vulnerability assessment.

Perform Vulnerability Assessment to analyse the network and system security.

Analyze the result of vulnerability assessment and prioritize them according to severity.

Recommend solution and mitigation techniques with respect to the assessment result.

Maintain accurate daily records/logs of Vulnerability analysis using standard templates and tools.

Apply the suggested solution and mitigation techniques to build a secure system.

Perform penetration testing once all the solutions are applied.

Carry out Penetration testing of the systems using automated tools, where required.

Investigate the results of penetration testing to verify security.

Provide support to enhance the security ecosystem in organization ecosystem.

Update their organization’s knowledge base promptly and accurately with security issues and their resolution.

Establish an understanding of an organization’s network environment.



Lab with key devices, software, and hardware in a large network.

Should include but not be limited to- application of multiple networking topology; use of various Network Protocols; bandwidth management tools; background of IT assets; hubs; switches; routers; servers; access points; media access controls; transmission media IDS/IPS; application of SSL, VPN, 2FA, Encryption, etc.

5. Difference between Vulnerability Assessment and Penetration Testing Theory Duration (hh:mm) 07:00 Practical Duration (hh:mm) 30:00 Corresponding NOS Code SSC/N0925

Establish the scope of vulnerability assessment and penetration testing in accordance with the organization’s policies.

Record, classify and prioritize the security events to be analysed through VAPT.

Access their organization’s knowledge base for information on previous information security incidents and how they were managed.

Assign information security incidents promptly to appropriate people for investigation/action.

Liaise with stakeholders to gather, validate and provide information

Whiteboard and markers.

LCD projector and laptop for presentations.

Access to various samples of applications of each category including various types of computer applications, mobile applications, and cloud applications.

Provision for online research in the lab for all students.

At least two subject matter experts from the industry in the field of application security.

Samples of secure applications and open source code scanning tools.


related to information security incidents, where required.

Document all the steps and finding of analysis performed in vulnerability assessment and penetration testing.

6. VA life cycle and PT life cycle Classification Theory Duration (hh:mm) 08:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0925

Define all the steps of vulnerability assessment life cycle.

List the steps involved in penetration testing.

Ensure that all the steps must be followed while performing vulnerability analysis and penetration testing.

Create a plan for documenting the result obtained after the VAPT analysis.

Track progress of analysis and escalate to appropriate people, where required.

Document the results of VAPT analysis for future reference.

Obtain advice and guidance on coordinating analysis report from appropriate people, where required




Access to various samples of applications of each category including various types of computer, mobile, and cloud applications.

Samples of secure applications.

Open source code scanning tools and their tutorials.

Access to secure and unsecured applications for practicing penetration testing activities.

Access to public databases and vulnerability sharing clubs, e.g., Bugtraq.

National Institute of Standards and Technology (NIST) NVB.

United States Computer Emergency Readiness Team (US-CERT).

7. Installation and Usage of Open Source VAPT Tools Theory Duration (hh:mm) 06:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N0925

Establish clearly the objectives and scope of various Vulnerability Assessment tools.

Investigate installed/configured VAPT tools by following the instructions and guidelines.

Comply with the legal constraints mentioned as per their defined scope.

Resolve problems with processes in the tool, following instructions and guidelines.

Install Tools to perform attack simulation and apply adequate security solutions.

Ensure the installation of the proxy server for simulating server-side attacks.

Investigate the security issues in a network using Nmap by applying various ping and port scan in the network.




Access to a list of vulnerabilities and exposures identified in the application by participants in the activities of the previous topic.

Open source tools for the above-mentioned activities.

Provision for online research for all participants.

Sample templates for the above-mentioned points.

Provision of software, such as word processors, spreadsheets, etc. for preparing reports for all participants.


Update the organization’s knowledge base with the documented findings.

8. Fundamentals of Internal and External Penetration Testing Theory Duration (hh:mm) 08:00 Practical Duration (hh:mm) 23:00 Corresponding NOS Code SSC/N0909

Establish and differentiate the scope of internal and external penetration testing for maintaining the security ecosystem of an organization.

Compare and contrast the basic differences and techniques between Internal and external penetration testing.

Perform Internal penetration testing through several means in an organization, when required.

Perform external penetration testing to verify the security methodologies applied after vulnerability assessment in an organization when required.

Comply with their organization’s policies, procedures, and guidelines while performing penetration testing.

List the open source tools available for penetration testing.

Define some use cases related to internal and external penetration testing.




Access to free OWASP tools and methods and their tutorials.

Hardware requirements:

8 GB RAM.

100 GB of free hard disk drive space.

processor i3 CPU- 2 GHz or above

Internet access connectivity is necessary for the installer media

A DVD Drive or USB port is required for the installer media

Access to free OWASP tools and methodologies and their tutorials

Software requirements:

Operating system Win 7/10/ server 2008, 2012(64 Bit)

Operating system Kali Linux/Konboot (64 Bit) setup

.Net framework 3.5 or above/ JRE (java runtime environment)

9. Steps for Conducting Internal and External Penetration Testing Theory Duration (hh:mm) 08:00 Practical Duration (hh:mm) 28:00 Corresponding NOS Code SSC/N0909

Establish the context and scope of performing internal network penetration testing in the organization.

Develop mapping of network connections in the organization for performing penetration testing and analysing security infrastructure.

Identify open ports in compliance with the security posture of an organization through penetration testing.

Resolve the presence of viruses, trojans, and rootkits on a target machine for building robust security architecture.

Perform network penetration testing by capturing a variety of traffic, poisoning of a victim’s proxy server, hiding of sensitive information, hijacking of a variety of sessions etc. for building secure infrastructure.



Provision for online research in a lab for all students.

Access to free OWASP tools and methods and their tutorials.


Perform an external penetration test by creating topological network maps.

Identify the physical location of target servers for resolving the security issues in an organization.

Locate the DNS record of a domain by conducting a variety of port scans on a target network.

Verify cookies generated by a server by investigating the hidden fields for building a secure organizational infrastructure.

10. Features and Characteristics of Penetration Testing Tools Theory Duration (hh:mm) 07:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0909

Agree with the usage of open source tools for performing penetration testing in an organization.

Define the characteristics of each VAPT tool.

Ensure that the tools used must comply with the organizational policies.

Resolve problems with processes in the tool, following instructions and guidelines.

Utilize the features of various VAPT tools to enhance the security infrastructure of the organization.

Initiate some automated processes for analysing the security infrastructure.

Update their organization’s knowledge base with the documented results.



Lab with provision for online research.

Lab with web application servers and web applications on the network to explore the features and characteristics.

11. Sample Report of Vulnerabilities with Categorization of Vulnerabilities Theory Duration

(hh:mm) 07:00 Practical Duration (hh:mm) 20:00 Corresponding NOS Code SSC/N0936

Establish the context of framing sample report of vulnerabilities as a result of vulnerability assessment.

Prioritize the security issues found in the assessment and differentiate them based on category defined.

Maintain a checklist of the recommended solution on a priority basis with respect to the assessment report.

Obtain advice and guidance from others while developing a checklist for ensuring the security of organizational assets.

Analyze the strategic analysis of the report and provide feedback


LCD projector and laptops for making presentations.


Undertake research on various tools generating vulnerability assessment and penetration testing reports.


for improving the security posture of an organization.

Analyze information security performance metrics to highlight variances and issues for action by appropriate people.

Work within the individual’s scope of work and in adherence with the organizational policies.

12. Business Impact Analysis and Remediation Techniques Theory Duration (hh:mm) 08:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N0936

Establish the scope and nature of work done in Business Impact Analysis for ensuring continuous business availability.

Comply with the steps and processes defined in the business impact analysis for managing business availability.

Identify the security issues and anomalies in business assets and their exposure to the outside world.

Recommend various remediation techniques based on the assessment report and prioritize them accordingly.

List and define the scope of each remediation technique suggested in the report.

Identify the dependencies of business strategic assets and ensure their security and availability.


Provision for online research in the lab.

LCD projector and laptops for making presentations.


Provision for accessing various tools helping to diagnose risk assessment and disaster mitigation.

13. Risk Management and Audit Committee

Theory Duration (hh:mm) 07:00 Practical Duration (hh:mm)

28:00 Corresponding NOS Code SSC/N0936

Identify the risk associated with the organizational assets.

Establish the context of the risk management process

Ensure all the steps and processes must be followed while performing the risk management process.

Document all the finding of the risk management process.

Recommend a solution for the security issues and anomalies in the business processes.

Establish the nature and scope of information security audits and their role and responsibilities.

Identify the procedures/guidelines/checklists for the audit tasks.


Lab with software and tools for writing secure web application configurations.

Sample secure web application configurations.

Provision for accessing various tools helping to diagnose risk assessment and disaster mitigation.


Identify any issues with the audit procedures and clarify these with appropriate people

Collate information, evidence, and artefacts’ when carrying out audit tasks.

Carry out required audit tasks using standard tools and following established procedures/guidelines/ checklists

Refer to appropriate people where audit tasks are beyond their levels of knowledge, skills, and competence

Record and document audit tasks and audit results using standard tools and templates

Review results of audit tasks with appropriate people and incorporate their inputs.

14.

Application Security Check List Theory Duration (hh:mm) 10:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N0936

Establish the scope of various security best practices and prepare the required checklist for maintaining organizational security.

Recommend the implementation of additional controls for maintaining security.

Obtain advice and guidance from others on managing the security ecosystem.

Provide inputs to root cause analysis and the resolution of information security issues, where required

Analyze information security performance metrics in the security checklist to highlight variances and issues for action by appropriate people.

Comply with the organizational policies while developing application security checklist and including suggested solutions by appropriate people.



Lab with key devices, software, and hardware in a large network.

Scope for using different tools and techniques of risk assessment and important concepts related to compliance and audit.


15. Manage your work to meet requirements Theory Duration (hh:mm) 20:00

Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9001

Establish and agree with your work requirements with appropriate people.

Keep your immediate work area clean and tidy.

Utilize your time effectively.

Treat confidential information correctly

Work in line with your organization’s policies and procedures.

Work within the limits of your job role.

Obtain guidance from appropriate people, where necessary.

Ensure your work meets the agreed requirements.



Training organization’s confidentiality policy.

16. Work effectively with colleagues Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9002

Communicate with colleagues clearly, concisely and accurately.

Work with colleagues to integrate your work effectively with theirs.

Pass on essential information to colleagues in line with organizational requirements.

Work in ways that show respect for colleagues.

Carry out the commitments you have made to colleagues.

Let colleagues know in good time if you cannot carry out your commitments, explaining the reasons.

Identify any problems you have working with colleagues and take the initiative to solve these problems.

Follow the organization’s policies and procedures for working with colleagues.



Provision to write emails and send in the lab.

Lab with provision for internet, email, word processor and presentation software.

Chart paper, markers, picture magazines, and old newspapers.

17. Maintain a healthy, safe and secure working environment Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00

Comply with your organization’s current health, safety and security policies and procedures.

Report any identified breaches in health, safety, and security policies and procedures to the designated person.

Identify and correct any hazards that you can deal with safely, competently and within the limits of your authority.

Report any hazards that you are not competent to deal with to the



The training organization’s current health, safety, and security policies and procedures.

Provision for online research in the Lab.

A sample health and safety policy document.

Emergency broadcast system and mock emergency signage in the


Corresponding NOS Code SSC/N9003

relevant person in line with organizational procedures and warn other people who may be affected.

Follow your organization’s emergency procedures promptly, calmly, and efficiently.

Identify and recommend opportunities for improving health, safety, and security to the designated person.

Complete any health and safety records legibly and accurately.

appropriate areas of the training institute.

18 Provide data/ information in standard formats Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00 Corresponding NOS Code SSC/N9004

Establish and agree with appropriate people the data/information you need to provide, the formats in which you need to provide it, and when you need to provide it.

Obtain the data/information from reliable sources.

Check that the data/information is accurate, complete and up-to-date.

Obtain advice or guidance from appropriate people where there are problems with the data/information.

Carry out rule-based analysis of the data/information, if required.

Insert the data/information into the agreed formats.

Check the accuracy of your work, involving colleagues where required.

Report any unresolved anomalies in the data/information to appropriate people.

Provide complete, accurate and up-to-date data/information to the appropriate people in the required formats on time.




19 Develop knowledge, skills and competence Theory Duration (hh:mm) 20:00 Practical Duration (hh:mm) 25:00

Obtain advice and guidance from appropriate people to develop your knowledge, skills, and competence.

Identify accurately the knowledge and skills you need for your job role.

Identify accurately your current level of knowledge, skills and competence and any learning and development needs.



Soft copy of QP-NOS.

Provision for online access to all students in the lab.


Corresponding NOS Code SSC/N9005

Agree with appropriate people a plan of learning and development activities to address your learning needs.

Undertake learning and development activities in line with your plan.

Apply your new knowledge and skills in the workplace, under supervision.

Obtain feedback from appropriate people on your knowledge and skills and how effectively you apply them.

Review your knowledge, skills, and competence regularly and take appropriate action.

Total Duration:

Theory Duration

200:00

Practical Duration

400:00

Unique Equipment Required: Whiteboard and Markers, LCD Projector and Laptop for presentations, Chart paper Lab equipped with the following: PCs/Laptops and Internet with WiFi (Min 2 Mbps Dedicated), provision for email, word processor and presentation software. CRM application, such as Siebel, Zoho, Social networking tool / LMS tool to enable blog posts or discussion board, Instant messenger, chat and email tools to enable mock exercises A sample health and safety policy document, Emergency broadcast system and mock emergency signage in the appropriate areas of the training institute

Grand Total Course Duration: 600 Hours, 0 Minutes

(This syllabus/ curriculum has been approved by SSC: IT-ITeS Sector Skills Council NASSCOM)


Trainer Prerequisites for Job role: “Penetration Tester” mapped to Qualification Pack: “SSC/Q0912, V1.0”

Sr. No. Area Details

1 Description To deliver accredited training service, mapping to the curriculum detailed above, in accordance with the Qualification Pack “SSC/Q0912, V1.0”.

2 Personal Attributes

Aptitude for conducting training, and pre/ post work to ensure competent, Employable candidates at the end of the training. Strong communication skills, interpersonal skills, ability to work as part of a team; a passion for quality and for developing others; well-organized and focused, eager to learn and keep oneself updated with the latest in this field.

3 Minimum Educational Qualifications

Graduate in any discipline preferably Science/Computer Science/Electronics and Engineering /Information Technology

4a Domain Certification

Certified for job role “Penetration Tester” mapped to Qualification Pack “SSC/Q0912” Version 1.0. Minimum accepted score is 80%

4b Platform Certification

Recommended that the trainer is certified for the Job Role “Trainer” mapped to the Qualification Pack: “MEP/Q0102”. Minimum accepted score is 80% aggregate

5 Experience Min 2 years of work/training experience with respect to QP/Occupation.


Assessment Criteria

Job Role Penetration Tester

Qualification Pack SSC/Q0912,V1.0

Sector Skill Council IT-ITeS

Sr. No.

Guidelines for Assessment

1 Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill Council (SSC). Each performance criteria (PC) will be assigned Theory and Skill/Practical marks proportional to its importance in NOS.

2 The assessment will be conducted online through assessment providers authorized by SSC.

3 Format of questions will include a variety of styles suitable to the PC being tested such as multiple-choice questions, fill in the blanks, situational judgment test, simulation and programming test.

4 To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each NOS is 70%

5 For the latest details on the assessment criteria, please visit www.sscnasscom.com.

6 In case of successfully passing only certain number of NOS's, the trainee is eligible to take subsequent assessment on the balance NOS's to pass the Qualification Pack.


Assessment

Outcomes

Assessment Criteria for Outcomes

Total

Marks (800)

Out of

Marks Allocated

Theory Skills

Practical

1. SSC/N0925 (Test, run

exploits to identify

vulnerabilities in

networks )

PC1. gather preliminary

information by manually reviewing

the documentation, secure coding

policies, security requirements,

architectural designs

100

5 2 3

PC2. gather network information

using various information gathering

methods and tools

5 2 3

PC3. define scope for the tests

using Existing Security Policies &

Industry Standards

3 1 2

PC4. plan for the test while

adhering to business and time

constraints put by organization

PC5. perform Active

Reconnaissance on the target

network using metadata, search

engines, social engineering,

dumpster diving etc after taking

adequate approvals

4 1 3

5 2 3

PC6. develop a map of target

environments 4 1 3

PC7. utilize network infrastructure

scanning tool to conduct

comprehensive network sweeps,

port scans, Operating System

fingerprinting and version scanning

6 1 5

PC8. identify live systems, open /

filtered ports found, services

running on these ports, mapping

router / firewall rules, operating

system details, network path

discovery, etc.

5 2 3


PC9. perform fingerprinting

services running behind open ports

and underlying operating system

5 2 3

PC10. explore the network by pre-

determined scans to find possible

vulnerabilities

6 2 4

PC11. perform social engineering

using Social Engineering

Toolkit(SET) to find possible

security holes

7 3 4

PC12. test the network devices by

supplying invalid inputs, random

strings, etc., and check for any

errors or unintended behavior in

the output

6 1 5

PC13. find exploits e.g. proof-of-

concept exploit for the various

vulnerabilities found

5 1 4

PC14. identify weak entry points

and high value target assets of the

organization or its network

5 1 4

PC15. identify antiviruses e.g. host-

based intrusion prevention

systems, web application firewalls,

and other preventative

technologies in the system

4 1 3

PC16. use pivoting techniques

through targeted systems 5 1 4

PC17. demonstrate various possible

impacts, compromises and

exposures using specialized

exploitation tools

6 2 4

PC18. evaluate ways & means of

identifying and closing weaknesses

in the network

6 2 4

PC19. recommend hardening

measures for network security

devices for minimizing exposure

and vulnerabilities

4 1 3


PC20. maintain logs for all the

activities performed

4 1 3

Total 100 30 70

2. SSC/N0909

(Identify and analyze exposures and weaknesses in applications and their deployments)

PC1. Gather preliminary information about the application through manual documentation review.

100

5 2 3

PC2. Evaluate the criticality of information by taking into consideration various factors.

5 1 4

PC3. Identify the application type/category by considering various factors.

3 1 2

PC4. Gather web-based information through the use of automated tools and techniques.

5 2 3

PC5. Establish the application functionality, connectivity, interdependency, and working.

5 2 3

PC6. Review application design and architecture to check that appropriate security requirement are enforced.

3 1 2

PC7. Check the source code of an application manually and identify security issues.

4 1 3

PC8. Explore potential threats by considering threats from various sources.

5 1 4

PC9. Evaluate the vulnerabilities discovered for their relevance, root causes, risk criticality, and corresponding mitigation methods.

4 1 3

PC10. Collate application security controls from various internal and external sources.

4 1 3

PC11. Collate information about the application with respect to industry trends through various sources.

4 1 3

PC12. Gather information related to application patching and its interdependencies with IT infrastructure requirements.

4 1 3

PC13. Assess application vulnerability using security assessment tools.

4 1 3


PC14. Isolate root causes of vulnerabilities and identify fixes, by including contextual information like the architectural composition, exploitation methods, and probabilities of exposure.

4 1 3

PC15. Validate data to identify failed false positives and individual vulnerabilities.

4 2 2

PC16. Categorize vulnerabilities and identify the extent of vulnerability including the level of weakness and sensitivity of the information.

4 1 3

PC17. Develop an application tracker capturing relevant information.

3 1 2

PC18. Plan for application penetration testing covering various parameters.

4 1 3

PC19. Test applications using various testing methods. 5 2 3

PC20. Conduct penetration testing using automatic scanning technologies, “black box testing, as well as manual tests that use human intelligence to guide the steps.

5 2 3

PC 21. Capture the requirements for securing applications stipulated by clients & external stakeholders in the designated format during the application life cycle.

4 1 3

PC22. Document information and activities at every step to provide an audit trail.

4 2 2

PC23. Secure storage of data collected during the assessment, including vulnerabilities, analysis results, and mitigation recommendations.

4 1 3

PC24. Automate correlation of static, dynamic and interactive application security testing results.

4 1 3

Total 100 31 69

3. SSC/N0936

(Making reports based on test results and making enhancements

PC1. Make notes of timeline/details of attacks.

100

5 1 3

PC2. Record logs, security holes found, measures adopted for Reconnaissance, Foot-printing etc.

6 1 5


to existing security solutions)

PC3. Use the latest risk calculating tools in making reports.

6 2 4

PC4. Report the source of threats and causes of potential weaknesses in the network.

6 2 4

PC5. Update draft reports made in testing phases and make a final report for presentation.

4 1 3

PC6. Organizing the information in a format suitable for analysis and extraction of high-level conclusions and recommendations.

6 3 3

PC7. Design report form & style according to the target report audience.

6 3 3

PC8. Classify report on the basis of target organization information classification policy.

5 2 3

PC9. Make separate reports. 5 2 3

PC10. Report all the misconfigured DNS servers. 4 2 2

PC11. Integrate all the logs captured in the attack phase. 6 2 4

PC12. Rate threats and their severity in a standard format. 6 2 4

PC13. Report and create a record of weaknesses for future knowledge & governance of threats & vulnerability management.

6 2 4

PC14. Perform security hardening on servers in the production environment especially those on the Internet and/or external DMZs.

6 2 4

PC15. Recommend controls, solutions and changes in architecture, to avoid future exploits.

6 2 4

PC16. Make enhancements to testing tools.

6 2 4

PC17. Implement patch management system(s) to provide centralized control over fixes, updates and patches to all systems, devices and equipment.

6 2 5

PC18. Enhance and update existing firewall services and IDS services if necessary.

6 1 5

Total 101 34 66

4. SSC/N9001 PC1. Establish and agree your work requirements with appropriate people.

100 7 0 7


(Manage your work to meet requirements)

PC2. Keep your immediate work area clean and tidy. 12 6 6

PC3. Utilize your time effectively. 12 6 6

PC4. Use resources correctly and efficiently. 19 6 13

PC5. Treat confidential information correctly. 7 1 6

PC6. Work in line with your Organization’s policies and procedures.

12 0 12

PC7. Work within the limits of your job role. 6 0 6

PC8. Obtain guidance from appropriate people, where necessary.

6 0 6

PC9. Ensure your work meets the agreed requirements.

19 6 13

Total 100 25 75

5. SSC/N9002

(Work effectively with colleagues)

PC1. communicate with colleagues clearly, concisely and accurately.

100

20 0 20

PC2. Work with colleagues to integrate your work effectively with theirs.

10 0 10

PC3. Pass on essential information to colleagues in line with organizational requirements.

10 10 0

PC4. Work in ways that show respect for colleagues. 20 0 20

PC5. Carry out commitments you have made to colleagues.

10 0 10

PC6. Let colleagues know in good time if you cannot carry out your commitments, explaining the reasons.

10 10 0

PC7. Identify any problems you have working with colleagues and take the initiative to solve these problems.

10 0 10

PC8. Follow the organization’s policies and procedures for working with colleagues.

10 0 10

Total 100 20 80

6. SSC/N9003 PC1. Comply with your organization’s current health, safety and security policies and procedures. 100

20 10 10


(Maintain a healthy, safe and secure working environment)

PC2. Report any identified breaches in health, safety, and security policies and procedures to the designated person.

10 0 10

PC3. Identify and correct any hazards that you can deal with safely, competently and within the limits of your authority.

20 10 10

PC4. Report any hazards that you are not competent to deal with to the relevant person in line with organizational procedures and warn other people who may be affected.

10 0 10

PC5. Follow your organization’s emergency procedures promptly, calmly, and efficiently.

20 10 10

PC6. Identify and recommend opportunities for improving health, safety, and security to the designated person.

10 0 10

PC7. Complete any health and safety records legibly and accurately.

10 0 10

Total 100 30 70

7. SSC/N9004

(Provide data/information in standard formats)

PC1. Establish and agree with appropriate people the data/information you need to provide, the formats in which you need to provide it, and when you need to provide it.

100

13 13 0

PC2. Obtain the data/information from reliable sources. 13 0 13

PC3. Check that the data/information is accurate, complete and up-to-date.

12 6 6

PC4. Obtain advice or guidance from appropriate people where there are problems with the data/information.

6 0 6

PC5. Carry out rule-based analysis of the data/information, if required.

25 0 25

PC6. Insert the data/information into the agreed formats.

13 0 13

PC7. Check the accuracy of your work, involving colleagues where required.

6 0 6

PC8. Report any unresolved anomalies in the data/information to appropriate people.

6 6 0

PC9. Provide complete, accurate and up-to-date data/information to the appropriate people in the required formats on time.

6 0 6

Total 100 25 75


8. SSC/N9005

(Develop your knowledge, skills and competence)

PC1. Obtain advice and guidance from appropriate people to develop your knowledge, skills, and competence.

100

10 0 10

PC2. Identify accurately the knowledge and skills you need for your job role.

10 0 10

PC3. Identify accurately your current level of knowledge, skills and competence and any learning and development needs.

20 10 10

PC4. Agree with appropriate people a plan of learning and development activities to address your learning needs.

10 0 10

PC5. Undertake learning and development activities in line with your plan.

20 10 10

PC6. Apply your new knowledge and skills in the workplace, under supervision.

10 0 10

PC7. Obtain feedback from appropriate people on your knowledge and skills and How effectively you apply them.

10 0 10

PC8. Review your knowledge, skills, and competence regularly and take Appropriate action.

10 0 10

Total 100 20 80

Grand Total 800 800

penetration tester · 2019-09-25 · security for an organization and its people. list the skills...

Documents