Introduction

Leverage my knowledge, skills, and passion to re-develope TPF, post, and provide teaching sessions for my TPF framework. This is for my own enjoyment and satisfaction. Once in place it might develope revenue streams.

Because you are reading this I assume that you are practicing, studying, or wanting to explore the possibilities for home, office, and career. When I first considered pentesting as a career I considered all the areas that interested me such as, brain surgery, rocket science, and practicing law. But I decided that what I really wanted was something that was a challenge. So I chose technology to begin with, and then progresses through several aspects of tech until I discovered infosec. That took me from operations through installation, user support, programming, networking, network administration, web design, web administration, information security, and forensics.

The Vision and Possibilities

Onsite Training

• Teaching involves going onsite or using the church as the location. For on-site training I provide CDs with the latest TPF version and some extra materials.
• I need to charge for travel, lodging, food, supplies, handouts, and profit.
• The commodity I am selling is knowledge, insight, skills.
• Travel by truck rather than flying.

Video Traning

A newsletter that has a fee

Key Points

• Focus on principles rather than routines, goals rather than tasks, techniques rather than steps. Prepare for continual adaptation rather than static procedures.
• Include "tangent" chapters where I address foundational topics such as Linux, Perl, password cracking, networking, protocals, and so on.

What is pentesting

• https://en.m.wikipedia.org/wiki/Penetration_test
• Pentesting pit the technician`s skills and knowledge against a system with the goal of over comming it's security components and gain "unauthorized access".
• The National Cyber Security Center, describes penetration testing as the following: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might." "Penetration Testing". NCSC. https://www.ncsc.gov.uk/guidance/penetration-testing Retrieved 29 May 2019.

Thoughts

Who might want to use The Purple Files?

• Home hobbiests, students of any type, people wanting to check the security of their own systems, networks, family hosts...
• Small companies who want to pentesting their own systems
• Small companies who want to provide pentesting services to their customers
• Students who are interested in this field, want to explore this work, use in a class setting

Being Completly Secure

You can never identify or protect against all possible attacks, both intentional and unintentional. (Expand on this point) But you can apply the 80/20 rule and say that you can expend 20% of you efforts and resources to mitigate 80% of the risk. That leaves your 80% to be directed towards zero-day exploits and other reactive activities.

The huge range of infosec topics and conserns

There are any number of areas you can apply pentesting to or specialize in. Each is valuable and each is demanding and each comprises only a small portion of the attack space of any system or environment. The focus and intent of The Purple Files is a systematic examination of the main attack vectors and weaknesses. And in the process provide detailed, clear, and useful documentation regarding the methodology and the steps and tools used in the methodology.

• Web applications
• password cracking
• Application testing
• vulnerability testing/li>

Systems are organic - they change and evolve without your permission or knowledge

The fact is that you as a security tech over a period of time cannot identify and remediate all attack vectors. Pentesting is a critical tool that allows you to identify and address a large percent of the actual risks and then manage them. Risk management is the point, not risk elimination.

Risk Management

Risk management has to do with taking practical and effective steps to reduce the risk a system is at to the point that the level of risk is acceptable.

Risk can be managed is several ways including; elimination of specific risk (patch a vulnerability, update software), transfer the risk to another party (insurance), minimize (keep effective backups, review permissions).

Certification

This course does not offer certification because that is not our space or focus. There are several worthwhile certification programs available that we would encourage you to pursue. However, our focus is on methodology and principals, which transend tools and technologies.

The pace of tech and infosec growth

Actually new technologies do not appear frequently. The foundational technologies such as protocals, hardware interfaces, languages provide the building blocks that are constantly being rearranged, reordered, and combined to produce the constant floww of "new" software, hardware, and techniques. This makes it critical that you master the foundational topics while remaining aware of emergent technologies, products, and projects.

Principals and Experience rather than tools and techniques

While many people work to learn about specific tools, specific environments, specific certifications, and other specialities my focus is to become farmiliar with most foundational technologies, the ways that they connect or interact to one another, and to approach the practice of pentesting with principals rather than a collection of tools. For that matter, your tool kit should be comprised of the software that helps you apply these principals.

Tools

The value of a pentest tool is not the size of the report it produces, or number of vulnerabilities it identifies, nor it's...