0% found this document useful (0 votes)

13 views

Information Systems Security Assessment Framework Issaf Draft 01 Balwant Rathore instant download

The Information Systems Security Assessment Framework (ISSAF) Draft 01 provides a structured approach to evaluating information system security, detailing specific criteria for assessment across various domains. It aims to standardize the security assessment process, identify vulnerabilities, and ensure compliance with legal and regulatory standards. The framework serves as a comprehensive reference for security professionals and organizations to enhance their security measures and practices.

Uploaded by

xjamfkp0418

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

13 views

Information Systems Security Assessment Framework Issaf Draft 01 Balwant Rathore instant download

Uploaded by

xjamfkp0418

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 86

Information Systems Security Assessment

Framework Issaf Draft 01 Balwant Rathore

download

https://ebookbell.com/product/information-systems-security-
assessment-framework-issaf-draft-01-balwant-rathore-2223248

Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

Information Systems Security Assessment Framework Issaf Draft 021

Balwant Rathore

https://ebookbell.com/product/information-systems-security-assessment-
framework-issaf-draft-021-balwant-rathore-2223262

Information Systems Security 4th International Conference Iciss 2008

Hyderabad India December 1620 2008 Proceedings 1st Edition Dawn Song

https://ebookbell.com/product/information-systems-security-4th-
international-conference-iciss-2008-hyderabad-india-
december-1620-2008-proceedings-1st-edition-dawn-song-2039676

Information Systems Security 16th International Conference Iciss 2020

Jammu India December 1620 2020 Proceedings Salil Kanhere

https://ebookbell.com/product/information-systems-security-16th-
international-conference-iciss-2020-jammu-india-
december-1620-2020-proceedings-salil-kanhere-21965110

Information Systems Security And Privacy 5th International Conference

Icissp 2019 Prague Czech Republic February 2325 2019 Revised Selected
Papers 1st Ed Paolo Mori

https://ebookbell.com/product/information-systems-security-and-
privacy-5th-international-conference-icissp-2019-prague-czech-
republic-february-2325-2019-revised-selected-papers-1st-ed-paolo-
mori-22504462
Information Systems Security 7th International Conference Iciss 2011
Kolkata India December 1519 2011 Proceedings 1st Edition Anupam Datta

https://ebookbell.com/product/information-systems-security-7th-
international-conference-iciss-2011-kolkata-india-
december-1519-2011-proceedings-1st-edition-anupam-datta-2456392

Information Systems Security 5th International Conference Iciss 2009

Kolkata India December 1418 2009 Proceedings 1st Edition Angelos D
Keromytis Auth

https://ebookbell.com/product/information-systems-security-5th-
international-conference-iciss-2009-kolkata-india-
december-1418-2009-proceedings-1st-edition-angelos-d-keromytis-
auth-4142210

Information Systems Security 6th International Conference Iciss 2010

Gandhinagar India December 1719 2010 Proceedings 1st Edition Sriram K
Rajamani Auth

https://ebookbell.com/product/information-systems-security-6th-
international-conference-iciss-2010-gandhinagar-india-
december-1719-2010-proceedings-1st-edition-sriram-k-rajamani-
auth-4142212

Information Systems Security 7th International Conference Iciss 2011

Kolkata India December 1519 2011 Proceedings 1st Edition Anupam Datta

Information Systems Security Third International Conference Iciss 2007

Delhi India December 1620 2007 Proceedings 1st Edition Atul Prakash
Auth

https://ebookbell.com/product/information-systems-security-third-
international-conference-iciss-2007-delhi-india-
december-1620-2007-proceedings-1st-edition-atul-prakash-auth-4239998
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

TABLE OF CONTENTS
1 ABOUT ISSAF......................................................................................................................................4
2 PROJECT MANAGEMENT.............................................................................................................19
3 BEST PRACTICES– PRE ASSESSMENT, ASSESSMENT AND POST ASSESSMENT .........33
4 ASSESSMENT FRAMEWORK .......................................................................................................71
5 REVIEW OF INFORMATION SECURITY POLICY AND SECURITY ORGANIZATION...73
6 EVALUATION OF RISK ASSESSMENT METHODOLOGY.....................................................82
7 TECHNICAL CONTROLS ASSESSMENT....................................................................................86
A TECHNICAL CONTROL ASSESSMENT - METHODOLOGY..................................................87
B TECHNICAL CONTROL ASSESSMENT: METHODOLOGY DESCRIPTIVE –
(CONTINUE….)..........................................................................................................................................95
C PASSWORD SECURITY ................................................................................................................209
D PASSWORD CRACKING STRATEGIES ....................................................................................266
E UNIX /LINUX SYSTEM SECURITY ASSESSMENT .................................................................285
F WINDOWS SYSTEM SECURITY ASSESSMENT......................................................................329
G NOVELL NETWARE SECURITY ASSESSMENT .....................................................................402
H DATABASE SECURITY ASSESSMENT......................................................................................404
I WLAN SECURITY ASSESSMENT ...............................................................................................458
J SWITCH SECURITY ASSESSMENT ...........................................................................................481
K ROUTER SECURITY ASSESSMENT ..........................................................................................516
L FIREWALL SECURITY ASSESSMENT......................................................................................561
M INTRUSION DETECTION SYSTEM SECURITY ASSESSMENT...........................................610
N VPN SECURITY ASSESSMENT ...................................................................................................634
O ANTI-VIRUS SYSTEM SECURITY ASSESSMENT AND MANAGEMENT STRATEGY ...645
P WEB APPLICATION SECURITY ASSESSMENT .....................................................................661
TU UT

Q WEB APPLICATION SECURITY (CONTINUE…) – SQL INJECTIONS ..............................719

TU UT

R WEB APPLICATION SECURITY (CONTINUE…) WEB SERVER SECURITY

TU UT TU UT

ASSESSMENT...........................................................................................................................................749
S STORAGE AREA NETWORK (SAN) SECURITY .....................................................................761
T INTERNET USER SECURITY ......................................................................................................771
U AS 400 SECURITY...........................................................................................................................777
V LOTUS NOTES SECURITY...........................................................................................................805
W SOURCE CODE AUDITING .....................................................................................................810
X BINARY AUDITING .......................................................................................................................811
8 SOCIAL ENGINEERING ...............................................................................................................812
9 PHYSICAL SECURITY ASSESSMENT.......................................................................................839
10 REVIEW OF LOGGING / MONITORING & AUDITING PROCESSES ............................847
11 SECURITY AWARENESS AND TRAINING ..........................................................................864
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 12/25/2004 Page 2 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

12 OUTSOURCING SECURITY CONCERNS .............................................................................873

13 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY .............................874
BUSINESS CONTINUITY PLANNING.................................................................................................875
DISASTER RECOVERY PLANNING ...................................................................................................878
14 LEGAL AND REGULATORY COMPLIANCE ......................................................................919
KNOWLEDGE BASE...............................................................................................................................929
1 BUILD FOUNDATION ...................................................................................................................930
2 DESKTOP SECURITY CHECK-LIST - WINDOWS..................................................................964
3 LINUX SECURITY CHECK-LIST................................................................................................970
4 SOLARIS OPERATING SYSTEM SECURITY CHECK-LIST.................................................973
5 PENETRATION TESTING LAB DESIGN ...................................................................................995
6 LINKS..............................................................................................................................................1006
7 TEMPLATES / OTHERS ..............................................................................................................1035

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 3 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1 ABOUT ISSAF
1.1 PREFACE

Today, the evaluation of Information Systems (IS) security in accordance with business
requirements is a vital component of any organizations business strategy. While there
are a few information security assessment standards, methodologies and frameworks
that talk about what areas of security must be considered, they do not contain specifics
on HOW and WHY existing security measures should be assessed, nor do they
recommend controls to safeguard them.

The Information System Security Assessment Framework (ISSAF) is a peer reviewed

structured framework that categorizes information system security assessment into
various domains & details specific evaluation or testing criteria for each of these
domains. It aims to provide field inputs on security assessment that reflect real life
scenarios. ISSAF should primarily be used to fulfill an organization’s security
assessment requirements and may additionally be used as a reference for meeting other
information security needs. ISSAF includes the crucial facet of security processes and,
their assessment and hardening to get a complete picture of the vulnerabilities that might
exists.

The information in ISSAF is organized into well defined evaluation criteria, each of which
has been reviewed by subject matter experts in that domain. These evaluation criteria
include:
• A description of the evaluation criteria.
• Its aims & objectives
• The pre-requisites for conducting the evaluations
• The process for the evaluation
• Displays the expected results
• Recommended countermeasures
• References to external documents

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 4 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Overall framework is large, we chose to provide as much information as possible on the

assumption that it would be easier for users to delete material rather than develop it. The
Information System Security Assessment Framework (ISSAF) is an evolving document
that will be expanded, amended and updated in future.

1.1.1 What are the Objectives of ISSAF?

• To act as an end-to-end reference document for security assessment
• To standardize the Information System Security Assessment process
• To set the minimal level of acceptable process
• To provide a baseline on which an assessment can (or should) be performed
• To asses safeguards deployed against unauthorized access
• To act as a reference for information security implementation
• To strengthen existing security processes and technology

1.1.2 What are the Goals of ISSAF?

The goal of the ISSAF is to provide a single point of reference for security assessment.
It is a reference that is closely aligned with real world security assessment issues and
that is a value proposition for businesses. To this aim the ISSAF has the following high-
level agenda:
• Evaluate the organizations information security policies and ensure that they meet
industry requirements & do not violate any applicable laws & regulations
• Identify critical information systems infrastructure required for the organizations
business processes and evaluate their security
• Conduct vulnerability assessments & penetration tests to highlight system
vulnerabilities thereby identifying weaknesses in systems, networks and applications
• Evaluate controls applied to various security domains by:
o Finding mis-configurations and rectifying them
o Identify known and unknown risks related to technologies and address them
o Identify known and unknown risks within your people or business processes
and address them
o Strengthening existing processes and technologies

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 5 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

• Prioritize assessment activities as per system criticality, testing expenses, and

expected benefits
• Educate people on performing security assessments
• Educate people on securing systems, networks and applications
• Provide information on
o The review of logging, monitoring & auditing processes
o The building and review of Disaster Recovery Plan
o The review of outsourcing security concerns
• Compliance to Legal & Regulatory Standards
• Create Security Awareness
• Effective Management of Security Assessment Projects
• Guarding against social engineering exploitation
• Physical security control review

This approach is based on using the shortest path required to achieve one’s goal by
finding flaws that can be exploited efficiently, with the minimal effort. The goal of this
framework is to give completeness and accuracy, efficiency to security assessments.

1.1.3 Why we had come up with ISSAF?

After working on many information assurance projects, the lack of a comprehensive

framework that provides information security assurance through performing standardized
vulnerability assessment, penetration testing, security assessment and security audit,
was felt.

ISSAF is a comprehensive and in-depth framework that helps avoid the risk inherent in
narrow or ineffective security assessment methodologies. In ISSAF we have tried to
define an information system security assessment methodology that is more
comprehensive than other assessment frameworks, it seeks to mitigate the inherent risk
in the security assessment process itself. It helps us understand the business risks that
we face in performing our daily operations. The threats, vulnerabilities, and potential
exposures that affect our organizations are too huge to be ignored.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 6 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

At this particular time it is not the answer to every question or situation, but we are
committed to continuous improvement by improving current topics and adding new
topics.

ISSAF has laid the foundation; now it’s your turn to benefit from it, whether you use it as
is or tailor the materials to suit your organization needs. Welcome to ISSAF, we hope
you will find it useful.

1.2 TARGET AUDIENCE

This framework is aimed at a wide spectrum of audiences that include:
• Internal and External Vulnerability Assessors, Penetration Testers, Security Auditors
and Security Assessors
• Professionals responsible for information security perimeter security
• Security engineers and consultants
• Security assessment project managers
• Information system staff responsible for information security
• System/network/Web administrators
• Technical and Functional Managers

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 7 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1.3 CONTRIBUTORS
1.3.1 Contributor Contacts and References

-Ascending order by Name

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 8 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1.3.2 Contributors as per Domain

Domain Author[s] Contributor[s]
S.Saravanan and Balwant
Project Management
Rathore
Best Practices – Pre-
S.Saravanan
Assessment, Assessment, Post Balwant Rathore
Omar Herrera
Assessment
Evaluation of Third Party Dieter Sarrazyn
Viraf Hathiram
Contracts Balwant Rathore
Balwant Rathore
Assessment Framework
Umesh Chavan
Johnny Long
Gareth Davies
Technical Control Assessment Pukhraj Singh
Balwant Rathore
Methodology Param Singh
Dieter Sarrazyn
Kartikeya Puri
Review Information Security
Policy And Security Umesh Chavan R.S. Sundar
Organization
Review Risk Assessment And Umesh Chavan
Major Gajendra Singh
Classification Balwant Rathore
Bernardo Reino aka lepton
Password Security Miguel Dilaj Piero Brunati
Matteo Brunati
Bernardo Reino aka lepton
Password Cracking Strategies Pietro Brunati
Miguel Dilaj
Arturo "Buanzo" Busleiman
Unix /Linux System Security
Balwant Rathore Kartikeya Puri
Assessment
Jayesh Thakur
Arturo "Buanzo" Busleiman
Linux Audit Check-List Hiten Desai
Dieter Sarrazyn
Linux Audit Tool Hiten Desai
Solaris Audit Check-List Jayesh Thakur R.S. Sundar
Solaris Audit Tool Vijay Ganpathy
Windows System Security Balwant Rathore Kartikeya Puri

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 9 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Assessment Oscar Marin

Windows Security Audit Tool Dieter Sarrazyn
Desktop Security Checklist -
Umesh Chavan Balwant Rathore
Windows
Novell Netware Security
Balwant Rathore Kartikeya Puri
Assessment
Database Security Assessment K. K. Mookhey Balwant Rathore
Wireless Security Assessment Balwant Rathore
J Sheik Abdulla
Wi-fi Security Assessment Balwant Rathore
Anish Mohammed
Balwant Rathore
Physical Security Assessment
Umesh Chavan
Switch Security Assessment Balwant Rathore Cesar Tascon
Router Security Assessment Balwant Rathore Manish Uboveja
Firewall Security Assessment Balwant Rathore Dieter Sarrazyn
Dieter Sarrazyn
Default Ports – Firewall Vinay Tiwari
Oliver Karow
Intrusion Detection System Dragos
Balwant Rathore
Security Assessment Rishi Pande
Default Ports – IDS/IPS Vinary Tiwari
Gabrial O. Zabal
VPN Security Assessment
Balwant Rathore
Anti-Virus System Security
Balwant Rathore
Assessment And Management Miguel Dilaj
Umesh Chavan
Strategy
Balwant Rathore
Web Application Security
Hemil Shah
Web Application Security –
Balwant Rathore Hernan Marcelo Racciatti
SQL Injections
Web Server Security Balwant Rathore
IIS Audit Check-List Hernan Marcelo Racciatti
Rahul
Binary Auditing
Balwant Rathore
Business Continuity Planning
R.S. Sundar
And Disaster Recovery

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 10 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Disaster Recovery Planning Kalpesh Doshi Balwant Rathore

Umesh Chavan
Social Engineering Balwant Rathore
Dragos
Incident Analysis Muhammad Faisal Rauf Danka
Storage Area Network (SAN) Balwant Rathore
Security Hari Prasad Chede
Internet User Security Balwant Rathore Kartikeya Puri
Review Of Logging / Monitoring R.S. Sundar
Thanzeer
& Auditing Processes Umesh Chavan
Assess Outsourcing Security
Umesh Chavan
Concerns
R.S.Sundar
Security Awareness And
Salman Ashraf Patrick
Training
Balwant Rathore
Knowledge Base
Legal Aspects Of Security Balwant Rathore
Assessment Projects Sandhya Khamesra
Dos Attacks: Instigation And
Jeremy Martin
Mitigation
Virus & Worms Jeremy Martin
Cryptography Jeremy Martin
Non-Disclosure Agreement
Balwant Rathore
(NDA)
Security Assessment Balwant Rathore
Contract Sandhya Khamesra
Request For Proposal
Balwant Rathore
Template
Vulnerability Assessment /
Hamid kashfi Balwant Rathore
Penetration Testing Lab
Links Marko Marko Ruotsalainen
Balwant Rathore
Report Template
Umesh Chavan

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 11 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1.3.3 Key Contributors Introduction

Umesh Chavan
Umesh Chavan is an information security professional with over 7 years of Experience &
holds a CISSP. He is currently working with CoreObjects, India where he is involved in
the development of security products. Prior to this he worked with JP Morgan Chase as
an Information Risk manager & as an Information Security Specialist with Larsen &
Toubro Infotech Ltd. He has exposure to the various domains in security and has a
unique blend of both process & technical knowledge. He likes conversing with people,
sharing new ideas and enriching his knowledge not necessarily restricted to the field on
information security.

Miguel Dilaj
Born in 1971 Started using computers in 1982 (venerable C64).
Migrated to Amiga in the late 80's (still have and use regularly a
PowerPC Amiga) Became involved with PC and AS/400 in the
90's. First serious use of Linux in 1998 (RedHat 5.1), tried
FreeBSD, NetBSD and OpenBSD and fall back to Linux RedHat-
based, Slackware-based and Debian-based distros tried.
Currently using Debian-based, Continuous Windows use from
3.0 up to XP Pro Became deeply into IT Security in '98, when it started to be possible to
have real control of the situation (i.e. Linux!) Started training other people in Linux and IT
Security in 2000, currently working in the Quality Assurance and Automation fields
(Computerized System Validation) Interested in clusters and their use for password
auditing

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 12 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Piero Brunati
Co-founder of Nest (www.nestonline.com) where he performs
H H

Research, Ethical Hacking and develops software, he tries hard

to mitigate customers' nightmares. He begun butchering
computers since the good old 70's, when he spent his first salary
to buy the components he used to solder his first computer (8008
CPU, 2k static RAM, 2k EPROM, serial and parallel I/O).

K. K. Mookhey
K. K. Mookhey is the Founder and Chief Technology Office of Network Intelligence
(www.nii.co.in), an information security consulting firm. He has provided security
H H

consulting services to Fortune 500 companies and industry segment leaders in India,
Middle East, and North America. He has pioneered the development of the AuditPro
suite of security auditing software, as well as initiated the research efforts within the
company. His vulnerability research team has found security vulnerabilities in products
from vendors such as Oracle, Symantec, and Macromedia. He is a regular contributor to
the Infocus series of articles on SecurityFocus, as well as various industry journals such
as IS Control and IT Audit. He is the author of a monograph on "Linux Security Audit and
Controls" commissioned by the Information Systems Audit and Control Association
(ISACA). He is also the author of the chapter on “Web Application Attacks” in the
upcoming version of the OWASP Guide.

Dieter Sarrazyn
Dieter Sarrazyn has been an information security consultant and
trainer for more than 6 years now.

Dieter is a certified and experienced Professional in the areas of

creating secure information systems and network architectures,
Performing Security Audits of Systema and Network
infrastructures, performing penetration tests and installing and
configuring firewall and VPN solutions. Other expertise lays in the areas of system and
network management, installing and configuring antivirus solutions and installing &
configuring mail relay systems.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 13 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Dieter first worked as a Security Engineer in a Network Integration Company and then
moved towards Security Consulting at the company he's still working for. His main tasks
are performing penetration testing, security auditing and teaching the Hacking Inside Out
course. He is also a Local Mentor for SANS tracks 1 and 4.

Dieter has earned the following certifications: CISSP, GSEC, GCIH, CCSA & CCSE.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 14 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

1.4 DOCUMENT ORGANIZATION AND CONVENTIONS

1.4.1 Document Organization
This framework briefly discusses the requirements for security assessments and
explains in detail the methodology of security assessments. The sections are organized
as follows:
1. Project Management
2. Guidelines And Best Practices – Pre Assessment, Assessment And Post
Assessment
3. Assessment Methodology
4. Review Of Information Security Policy And Security Organization
5. Evaluation Of Risk Assessment Methodology
6. Technical Control Assessment
• Technical Control Assessment - Methodology
• Password Security
• Password Cracking Strategies
• Unix /Linux System Security Assessment
• Windows System Security Assessment
• Novell Netware Security Assessment
• Database Security Assessment
• Wireless Security Assessment
• Switch Security Assessment
• Router Security Assessment
• Firewall Security Assessment
• Intrusion Detection System Security Assessment
• VPN Security Assessment
• Anti-Virus System Security Assessment And Management Strategy
• Web Application Security Assessment
• Storage Area Network (San) Security
• Internet User Security
• As 400 Security
• Source Code Auditing
• Binary Auditing
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 12/25/2004 Page 15 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

7. Social Engineering
8. Physical Security Assessment
9. Incident Analysis
10. Review Of Logging / Monitoring & Auditing Processes
11. Business Continuity Planning And Disaster Recovery
12. Security Awareness And Training
13. Outsourcing Security Concerns
14. Knowledge Base
• Legal Aspects Of Security Assessment Projects
• Non-Disclosure Agreement (NDA)
• Security Assessment Contract
• Request For Proposal Template
• Desktop Security Check-List - Windows
• Linux Security Check-List
• Solaris Operating System Security Check-List
• Default Ports - Firewall
• Default Ports – IDS/IPS
• Links
• Penetration Testing Lab Design

1.4.2 Document Convention

Many places in this document we use following test case template:

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 16 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Heading of Topic

Introduction
(Description / purpose / requirement / terminology / history)

Objective

Expected Results

Methodology
(Structured steps that needs to be followed to complete test case)

Per Test / Technique

Description

Objective

Expected Result

Pre-requisite

Process (Steps to complete this task)

[Description]

[Example/Results]

[Countermeasure]

Example/Results of common testing tool(s)

Countermeasure(s)

Do reach us for more detail on our licensing at [email protected]

H H

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 18 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

2 PROJECT MANAGEMENT
A project is a grouping of activities that, when put together, achieves an objective and
goal. A project always has a recognizable beginning and end. The below topics give an
overview on how project management can be performed for security assessment
projects.

The security-testing job entails numerous tasks and involves several parties. Such a job
requires project planning from the starting point and management activity throughout the
development of the project. This section describes the project management aspects of a
security assessment project.

The following guidelines can directly used for providing project management plan to the
client.

2.1 PROJECT EXECUTIVE OVERVIEW

(Optional) The executive summary provides a summary of the project definition
document. In many cases, this is a PowerPoint presentation. If it is, then a reference to
the external document can be included here. This section contains high-level
explanation of the project objectives, scope, assumptions, risks, costs, timeline,
approach, and organization. (Remove this comment section from final document.)

Describe the background and context for the project and why it is being undertaken.
Speak to the business value of the work being performed. Put enough information here
so that the rest of the sections in the project definition make sense. (Remove this
comment section from final document.)

2.2 OBJECTIVE
Objectives are statements that describe what this project will achieve and deliver.
Objectives should be “SMART”: Specific, Measurable, Achievable, Realistic, and Time-
Based. To be specific and concrete, objectives should be deliverable-based. The
completion of an objective should be evident through the creation of one or more

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 19 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

deliverables. If the statement is at a high level and does not imply the creation of a
deliverable, it may be a goal instead. If the statement is too low-level and describes
features and functions, then it may be a requirement statement instead. (Remove this
comment section from final document.)

The XXX project will meet the following objectives:

• Objective #2
• Objective #3
• Objective #1

Expected Result[s]
Give a brief description of the deliverable. A sample deliverable report can also be
attached.
The XXX project will produce the following deliverables:
• Deliverable #1
• Deliverable #1
• Deliverable #1

2.3 METHODOLOGY
Give an over view of the methodology used for the security assessment project. The
phases involved in typical security assessment project are:
• Planning and Preparation
• Assessment
• Reporting

2.4 PROJECT SCOPE

In this section, you should clearly define the logical boundaries of your project. Scope
statements are used to define what is within the boundaries of the project and what is
outside those boundaries. Examples of areas that could be examined are data,
processes, applications, or business areas. The following types of information can be
helpful:
• The types of deliverables that are in scope and out of scope (Business
Requirements, Current State Assessment)
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 12/25/2004 Page 20 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

• The major life-cycle processes that are in scope and out of scope (analysis, design,
testing)
• The types of data that are in scope and out of scope (financial, sales, employee)
• The data sources (or databases) that are in scope and out of scope (Billing, General
Ledger, Payroll)
• The organizations that are in scope and out of scope (Human Resources,
Manufacturing, vendors)
• The major functionality that is in scope and out of scope (decision support, data
entry, management reporting)
(Remove this comment section from final document.)

The scope of this project includes and excludes the following items.
In scope:
•
•
•
•

Out of scope:
•
•
•
•

2.5 PROJECT KICKOFF MEETING (INTERNAL)

As you win a project, Project Manager shall call a Project Kickoff Meeting. Following are
some points shall be discussed in this meet:
• Quick look at lesson learned in previous project
o Highlight challenges/problems and design strategy to resolve them
• Declare Single Point of Contact for Project
• Form Project Team and divide their tasks
• Set deadlines on divided tasks to members responsible for Project Execution
• Process Administrative Tasks
o Visa Processing (If required)
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 12/25/2004 Page 21 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

o Travel Management
o Check Passport status and Important papers with candidates
o Check Emigration Check Not Required (ECNR) on passport of candidates
• Availability of Tools (Commercial/Freeware)
• Efficient delivery capabilities of promised tasks in proposal
• Any help needed for delivery
o Infrastructure for testing
o Training
o Backup infrastructure
• Inform TIM about IP Addresses
• Project manager or assigned team member shall give minutes of meetings to
everybody

2.6 COMMUNICATIONS PLAN

Name / Project Role Numbers Email

INSERT CONTACT LIST

Standard/Scheduled Communications
The Assessment Team Program/Project Manager will initiate the following project
meetings through the project life cycle:
On-site at –CUSTOMER NAME-:
• Mid-Planning and End-of-Planning Meetings
• Project Kick-Off Meeting

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 22 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

• Progress Meetings (frequency and method to be determined by the CUSTOMER

NAME). A meeting agenda will be distributed to attendees prior to the meeting
and meeting minutes will be distributed after the meeting.
• Project End (Debrief) Meeting

On a weekly basis, Assessment Project Management will provide status to all project
stakeholders via the CUSTOMER NAME project web site (to be developed). All project
related, the Project Manager would post documents developed during the week each
Friday. The project web site is a valuable tool that historically archives all documents,
making them easily, and readily available for baseline reviews.

It is imperative for all managers to be aware of issues that their teams are
managing / experiencing; therefore, all project communications will follow a
“chain of command” structure. Please refer to the Project Org Chart for
communication checkpoints.

• Explain your understanding of client’s requirement

• Discuss dates of assessment offshore/onsite
• Request client to issue an Invitation letter to embassy by the name of test team
members (If required)
• Update client for source IP addresses used for assessment

2.7 PROJECT KICKOFF CALL WITH CLIENT

Points to discuss
• Identify access points and number of devices needs to be tested
• Deliverables
o Executive Summary
o Vulnerability Summary
o Detailed Test results with countermeasure to safeguard against vulnerabilities
• Single Point of Contact from both end
• Team Introduction
• Project start and end date
• Working days/hrs

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 23 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

• Internet Access during onsite assessment

• Site location and contact numbers
• Update client about source IP addresses used for testing
• Make sure access to service is open in firewall from given source IP address to
perform assessment.
• Make sure access to service is given from your company /ISP Router and Firewall

2.8 SAMPLE STATUS REPORT

From:
Subj: Status Report for
Period:

If appropriate, provide background information for this report. You may wish to include
the following information in your comments:
Origins of the project; business reason for its initiation; anticipated value to the customer;
and projected increase to revenue or decrease to cost.
Project scope and objective

Summary:

Total Hours Used:

Identify overall project status and provide a few key bullet points highlighting planned vs.
actual aspects of each relevant topic:

Project Status:
GREEN YELLOW RED
NOTE: Status Reports will be completed weekly. Do not be hesitant to provide a
yellow or red status; this is a tool to alert management to potential issues.
• Green – Project is proceeding on plan with no major showstoppers.

• Yellow – Project has tasks that “may” impact project completion.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 24 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

• Red – Major issues exist with required tasks that are needed to complete the
project. Management assistance is needed immediately.

Project Schedule
Indicate the current planned completion date for all major tasks & milestones through
completion of the project.

TASK/EVENT PLANNED DATE

Major Accomplishments: (Any significant completed tasks)

Highlight major accomplishments achieved during the reported status period. Identify
focus of current project work and any additional information on completed tasks.

Outstanding Issues or delinquent items

Identify appropriate critical issues that threaten the success of this project. Provide
further information regarding background and action plans for addressing the issue.
ISSUE ACTION PLAN

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 25 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Next Steps/Upcoming Events - (planned tasks for the next reporting period)

2.9 ISSUE ESCALATION PLAN

Escalation chart in case of issue can be provided in this section. Escalation will happen
both client and assessment organization. A flow chart will be of great help.

2.10 DEVELOP A PROJECT PLAN AND SEND IT TO CUSTOMER

It should include followings:
• Send test cases which you are going to execute
• Put time for every test case
• Mention start and end date of project
• Time of assessment
• Contacts of each team

2.11 SET MILESTONES AND TIMELINES

Define milestones of projects as per tasks, stick to them and achieve in defined time. Try
to complete testing in office hours. It will help to minimize any down time if it occurs in
any circumstances.

Event Week 1 Week 2 Week 3 Week 4 Week 5

Planning and Prepration

Information Gathering

Network Mapping

Vulnerability Identification

Vulnerability Identification
cont…

Target Exploitation

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 26 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Target Exploitation …

Reporting

2.12 PROJECT SCHEDULE

The CUSTOMER NAME Project will be driven with a Project schedule chart.. The Master
Schedule details all major phases and it’s associated sub-tasks. The Master Schedule is
detailed below.

<INSERT PROJECT SCHEDULE HERE>

2.13 DELIVERABLES PRODUCED

All projects have deliverables. In this section, describe the deliverables of the project.
Provide enough explanation and detail so that the reader will be able to understand what
is being produced. (Remove this comment section from final document.)
• Deliverable 1: description
• Deliverable 2: description
• Deliverable 3: description

2.14 PROJECT ESTIMATED EFFORT/COST/DURATION (COST OPTIONAL)

The estimated effort hours and project costs may be depicted in many ways, including
cost by team member, cost by deliverable, cost by milestone, or cost by category
(internal labor, external labor, travel, training, supplies, etc.). Also include a chart
showing the project start date, major milestones, and end date. The deliverables
included in this milestone chart should all have been described in the scope section.
(Remove this comment section from final document.)

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 27 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Milestone Date Deliverable(s) completed

completed
Project planning Mm/dd/yy • Project definition
• Workplan
Milestone 1 Mm/dd/yy • Deliverable 1
• Deliverable 2
Milestone 2 Mm/dd/yy • Deliverable 3
Milestone 3 Mm/dd/yy • Deliverable 4
Milestone 4 Mm/dd/yy • Deliverable 5
Project conclusion Mm/dd/yy

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 28 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

2.15 PROJECT ASSUMPTIONS

Project assumptions are circumstances and events that need to occur for the project to
be successful but are outside the total control of the project team. They are listed as
assumptions if there is a HIGH probability that they will in fact happen. The assumptions
provide a historical perspective when evaluating project performance and determining
justification for project-related decisions and direction. (Remove this comment section
from final document.)

In order to identify and estimate the required tasks and timing for the project, certain
assumptions and premises need to be made. Based on the current knowledge today, the
project assumptions are listed below. If an assumption is invalidated at a later date, then
the activities and estimates in the project plan should be adjusted accordingly.

• Assumption #1
• Assumption #2
• Assumption #3, etc

2.16 PROJECT RISKS

Project risks are circumstances or events that exist outside of the control of the project
team that will have an adverse impact on the project if they occur. (In other words,
whereas an issue is a current problem that must be dealt with, a risk is a potential future
problem that has not yet occurred.) All projects contain some risks. It may not be
possible to eliminate risks entirely, but they can be anticipated and managed, thereby
reducing the probability that they will occur.

Risks that have a high probability of occurring and have a high negative impact should
be listed below. Also consider those risks that have a medium probability of occurring.
For each risk listed, identify activities to perform to eliminate or mitigate the risk.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 29 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

IDENTIFICATION QUANTIFICATION MITIGATION

PROBABILITY (%)
DESCRIPTION
OF RISK EVENT Low Medium High CONSEQUENCES SOLUTIONS COMMENTS
WBS
# 0-.35 .35-.65 .65-1.0

2.17 PROJECT APPROACH

This section is used to describe how the project will be structured and the important
techniques that will be utilized. The project approach is intended to encourage the
project manager to think about the project from the top down instead of the traditional
bottom-up method. Including the approach in the project definition compels the project
manager to both consider the dependencies of the project and to incorporate the project
management necessary to plan and manage the project. (Remove this comment section
from final document.)

2.18 PROJECT ORGANIZATION (ASSESSMENT TEAM & CLIENT)

It is important to understand who the major players are on the project. An organization
chart works well. Otherwise, list the major project roles and the actual people involved.
(Remove this comment section from final document.)

Add a project organization chart, if available. (Remove this comment section from final
document.)

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 30 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

2.19 RESPONSIBILITY MATRIX

A – Approves the Deliverable
R – Responsible for Creating the Deliverable
N- Notified when deliverable is complete
M – Manages the Deliverable
F – Facilitates timely Resource Allocation
S – Responsible for Acceptance and Signoff
P – Participate in Archiving the Deliverable

S.NO Deliverable
Assessment Team Clients
s & Tasks
Stake
Program Project Consultant Team Project Holders
Manager Manager s Members Manager & Functional
Heads
1 Project A R R R
Scope

2.20 SIGN-OFF SHEET

Client Name: XXXXX

Project Manager: XXXX,

Project IT Security
Purchase Order Number:
Name: Assessment
Begin Target 10/09/0 Final End
04/06/03
Date: End Date: 3 Date:

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 31 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Date Assessment Team

S.NO Deliverables Xxxxxxxxxxxx
Completed Name
1 Statement of Work 13/06/2003

Final Sign off

Assessment team has successfully performed according to the conditions set-forth in the
SOW, Dated _____for the Security Assessment Project.

Sign Off on Work Performed:

_________________ _____________________
XXXXXXX XXXXX
Assessment Lead Client Lead

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 32 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

3 BEST PRACTICES– PRE ASSESSMENT, ASSESSMENT

AND POST ASSESSMENT

Over the last few years, the security assessment process has evolved from an assorted
set of attacks carried out by amateurs to a mature and reviewable assessment process
with strong legal boundaries and well-defined deliverables.

Irrespective of Vulnerability Assessment, Penetration Testing and/or Security

Assessment, there are certain things which the assessor needs to take care of while
assessing the strength of an enterprise’s security.

A well defined, proven and structured assessment can assist greatly in fortifying your
defenses; it also throws up newer, complex issues that you will have to deal with. E.g.
Legal Aspects, Check Knowledge base section for more detail on this.

This section provides all the best practices / guidelines required to perform the security
assessment. Management, key people involved in assessment and all other members of
the assessment team must read and follow it. Owner and Assessment Company
(irrespective of internal or external) should sign it before starting an assessment.

Best Practices / Guidelines Compliance Comments

(Yes/No)

Legal Aspects
Ensure that you have signed a Non-Disclosure
agreement with the company that is performing the
assessment. 9
Recommended Reading: Non Disclosure
Agreement in Knowledge Base section.
Ensure that you have signed the Security
Assessment Agreement.
9
Recommended Reading: Security Assessment
Agreement in the Appendix.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 33 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Ensure that you do not scan outside IP Address and

are limited to the IP addresses and domains 9
specifically assigned to you.
Clearly define the boundaries of the assessment to
avoid any conflict and/or confidentiality issues. E.g.
an assessor breaks into the system and he may
read confidential information on it. Make it clear 9
whether you want the assessor to access
confidential information and show it to you or just
leave a message on the system in a text file.
Clearly define the limits of liability for the
assessment team, in case of an incident caused by
negligence or malpractice. E.g. most assessment 9
teams limit the liability up to the cost of the security
service being performed.
People
Assessment team participating in the assessment,
the following information must be documented and
evaluated by the Assessed Company:
a) Experience with the platforms, applications,
network protocols and hardware devices being
tested. Experience of candidates should match that
of the targeted infrastructure.
b) Certifications and courses related to penetration
testing. This information should confirm that
9
assessment team members are capable of
performing the activities described in the scope of
the service.
c) Years of experience in penetration testing
engagements. This information should confirm that
assessment team members are capable of
performing the activities described in the scope of
the service.
d) Attack scripting/programming languages
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 12/25/2004 Page 34 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

mastered by each member. This information should

demonstrate abilities for designing and performing
manual testing procedures.
e) Public information showing participation in the
community of each member, such as articles, forum
posts, papers, participation in events, etc. People
that show up in public places demonstrate their
credentials and is more easily trusted. Assessors
that have engaged in a public discussions on
information security testing demonstrate their
knowledge and experience.
f) List and description of tools/scripts
created/modified by each member, related to
security assessment. This information should
demonstrate abilities for designing and performing
manual testing procedures.
g) Roles and Responsibilities of each member in the
team. This information should indicate the grade of
involvement of each assessor and the importance of
their participation in the team.
Have you gone through the resumes (including
references) of the assessment team members and 9
are you satisfied with their skills?
Have you checked recruiting policies of company
9
and are you comfortable with them?
Have the employees of the Company performing the
assessment signed strong Non-disclosure 9
agreements with their firm?
Processes
Have you clearly mentioned that you want to assess
a denial of service attack on your live or test
system? Or do you prefer that they simply audit the 9
system and describe the specific flaws in your
network that leave you susceptible to a particular
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 12/25/2004 Page 35 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Denial of Service attack?

Generally a security assessment / penetration test is
recommended only when you have baseline security 9
in place.
Are you assessing security of secondary systems
(may be redundant) instead of primary systems?
Both approaches have their advantages and
disadvantages but it is generally recommended that
you assess the security of secondary servers rather
9
than primary servers when strict confidentiality has
to be maintained and any kind of down time is not
acceptable. The path used to attack the secondary
servers can reveal flaws in your security architecture
that apply equally to your primary servers.
Is the test infrastructure secure and is logging
9
performed? Please give details.
Is the assessment team or a team member going to
perform any test from home? Especially using a PC
9
other than an official Laptop or assessment
machine.
Ensure that the assessment team provides precise
information on the assessment equipment physical
and logical locations (E.g. physical addresses from 9
where tests will be conducted and IP addresses
used at the time of the test).
Is the process established to get clearance before
9
starting a test?
Are the test cases provided to you?
9
Ensure that the organization/company has licenses
for the commercial tools used by the assessment
9
team. Make sure that both parties are clear on who
is going to provide what tools.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 36 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Is the date, time and day for the assessment fixed?

A time when traffic is minimal is preferred, late
nights and weekends are good times since any 9
unexpected negative impact on the network will
cause least harm to the users during off-peak hours.
Does the Assessment Company have well-defined
processes for managing the output of the test 9
cases?
Ensure that both the Assessment Company and the
Assessed Company exchange contact information
of people involved in the tests anytime during the 9
engagement. (E.g. email addresses, phone
numbers, fax numbers and pagers).
Deliverables
The assessment team should show a clear
approach and path of attack to be carried out and a
demo as and when required.
9
A list of vulnerabilities on the compromised network
is not sufficient since it may not give the actual path
that can be exploited.
Has the Assessment Company submitted a sample
copy of previous Assessment reports? Does it cover
everything you want as a client?
Ensure that you do not reveal any kind of client 9
information, very clearly mask client name and
information that makes resources identifiable such
as IP addresses.
The report shall contain all tests performed and their
9
outputs as per the ISSAF test case template
List of vulnerabilities identified and countermeasure
9
to safeguard against them.
Very high critical threats must be reported
9
immediately.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 37 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Ensure that you do not use new/unfamiliar tool on a

9
production environment.
Guard against performing a man-in-the-middle
9
attack and forgetting to forward traffic further.
Guard against performing a man-in-the-middle
attack and not considering the speed of a device
which is performing the man-in-the-middle attack. 9
Generally middle man devices are slow and they
can’t give high throughput. For example a laptop.
Readiness of Infrastructure
• The assessor should make sure the connection
for testing is up and that a backup line or
internet access is readily available before
starting the tests.
• Ensure that due to some reason certain
protocols/services are not blocked at the
assessment center end (Your company/ISP). It
may seriously affect you assessment results.
• E.g. ICMP is blocked as per corporate policy
• E.g. UDP traffic is blocked at ISP end due to
9
any worm. Strange but it happens some
time.
• Ensure that your company’s technical
infrastructure department does not change IP
addresses of the Assessment Center without
your permission; these could negatively impact
your tests because the target firm will expecting
connections from a certain IP range.
• Ensure readiness of a assessment team kit:
• Assessment Tools / Products
• Operating System CDs
• Ensure that the people involved in the
9
assessment process properly understand the

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 38 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

client’s requirement as specified in the RFP.

• Ensure that you are using a dedicated
equipment for testing. Emails and any other
administrative or personal activities should be
preformed on other machine(s) or if it's on same 9
machine it's recommended to do on different
boot partition. This guarantees the integrity of
the testing machine.
• Ensure that a process is available for collecting
test results and they are presented in a proper
9
format. Otherwise analysis will take a lot of time
and important information may be missed.
• Ensure that the testing process is closely
monitored and documented, in order to facilitate
the identification of telecommunications
problems and false positives (usually the test is
9
recorded at network level using a protocol
analyzer and a different machine, in order to
avoid an impact in performance to the testing
equipment).
• Avoid a breach in confidentiality by releasing
9
customer data.
• Ensure that your storage server for test results is
9
secure.
• Ensure all correspondence in appropriate way.
If you exchange asset information verbally or on a
plain paper or on phone (generally this happens
while performing onsite assessment). Later on you
don’t have any record to prove that this is what was 9
given for assessment by the client, just in-case if
any undesirable politics happens. This guideline can
be adopted at various stages in the assessment
process. Use of digital signatures and encryption for

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 39 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

formal electronic communication is necessary to

guarantee confidentiality, authenticity and non-
repudiation.

3.1 PRE-ASSESSMENT PHASE

3.1.1 Request for Proposal (RFP)

The organization shall clearly define followings:
• Name and details of person to whom proposal needs to be submitted
• Maximum time to submit the proposal (E.g. 1st Jan 2005)
• Maximum time to complete the assessment (e.g. March 2005)
• High level design of network architecture to selected companies after signing Non-
Disclosure Agreement(NDA)

The organization shall clearly ask Assessment Company to state followings in the
proposal:
• Maximum time to complete the assessment (e.g. March 2005)
• Expected time to complete each task
• Serial and parallel tasks in proposal
• Dependencies between tasks
• Time period in which the assessment has to be completed
• Understanding of Assessment Company’s requirement
• Your understanding of our requirement
o Asset segments which needs to be assessed
o Number of Access Points and devices from where assessment has to be
performed
o Expected deliverables
o Clearly defied scope of assessment. Expected depth of tests in each task
(how far should the assessors go: network, O.S., application level, etc.)
o List of objectives by which each task will be evaluated (should be effort
oriented, not success/failure oriented)

3.1.2 Evaluation of Third Party Contracts

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 40 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

3.1.2.1 PURPOSE OF THIRD PARTY CONTRACTS EVALUATION

In today’s highly connected world, organizations typically share business information
with a number of third parties, either out of a business imperative or to comply with
regulatory requirements. The sharing could be as simple as an exchange of emails or
as ‘invasive’ as providing remote access to each other’s internal systems.

An organization would typically have no control over the security management at a third
party and therefore have no control over the security of their own information. The best
an organization can do in most cases is to cover themselves legally with the appropriate
clauses in contracts with third parties.

3.1.2.2 AIM / OBJECTIVE OF THIRD PARTY CONTRACTS EVALUATION

As part of an evaluation of information systems security, contracts with third parties must
be evaluated to see if the organization is adequately covered legally.

This is also a recommendation within ISO 17799.

3.1.2.3 THIRD PARTY CONTRACT EVALUATION GUIDELINES

The roles of third-parties can be varied:

Application support and maintenance for an organization’s internal systems; Business
partner (e.g. distributor) with access to internal systems; Facilities managed service, i.e.
they host and manage the organization’s "internal" system; Business partner providing
services to the organization’s customers on behalf of the organization.

Contracts with third-parties should have clauses similar to those mentioned in this
section. Not all clauses will be suitable in all cases. And additional clauses will be
required for the specific services provided.

Existing contracts typically provide good coverage of some of the items listed in ISO
17799, such as service level agreements and intellectual property rights. This section
highlights those items that existing contracts do not typically cover.

[start of contract clauses]

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 41 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Security of <Company’s> and <Company’s> Customers’ Information Assets

By 'information assets' is meant, without limitation, paper documents, electronic data,

servers, desktop computers, laptops, PDAs, software, network elements and mobile
telephones.

The Supplier may be given access to <Company’s> and <Company’s> customers’

information assets to allow them to fulfill their obligations under this contract.

1) The Supplier shall take all reasonable steps to protect the confidentiality, availability
and integrity of <Company’s> and <Company’s> customers’ information assets,
including but not limited to:

a) Implementing appropriate security policies and practices, consistent with the most
current version of AS/ISO 17799.
b) Complying with the <Company> Acceptable Use Policy, the current version of which
is attached in Appendix XXX. The most up-to-date version of this policy is available on
the <Company> web site.
c) Complying with all applicable privacy and cybercrime legislation.
d) <Optional> Complying with all applicable financial/health/other industry standards.
e) <Optional> Compliance with the security policies and standards attached in Appendix
XXX.

2) Upon written request, the Supplier shall provide to <Company> a copy of their
information security policy, standards, operating procedures and related documentation.
<Optional> The Supplier authorises <Company> to forward this documentation to any
<Company> customer who is supported by the Supplier.

3) Where <Company> has responsibility for maintenance of user accounts: The

Supplier shall notify <Company> within 1 working day, if an employee, contractor or
agent of the Supplier, who has access to <Company’s> or <Company’s> customers’
information assets:
a) Leaves the employment or hire of the Supplier. If the termination happens under
unfriendly circumstances, the Supplier shall notify <Company> within 1 hour.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 42 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

b) No longer requires access to <Company’s> or <Company’s> customers’ information

assets.

4) Where the Supplier has responsibility for maintenance of user accounts: The Supplier
shall change all relevant passwords within 1 working day, if an employee, contractor or
agent of the Supplier, who has access to <Company’s> or <Company’s> customers’
information assets:
a) Leaves the employment or hire of the Supplier. If the termination happens under
unfriendly circumstances, the Supplier shall change passwords within 1 hour.
b) No longer requires access to <Company’s> or <Company’s> customers’ information
assets.

5) Security Incidents.
A breach of security includes, but is not limited to, a loss or theft of information assets.
a) The Supplier shall notify <Company> immediately upon a confirmed, or suspected,
breach of security of <Company’s> or <Company’s> customers’ information assets. The
notification shall be to ALL of the following:
i) by telephone – <Insert the <Company> contact the Supplier uses for issue
escalation>
ii) by email - infosec@<company>.com.au
b) The Supplier shall provide all required assistance to <Company> in investigating a
breach of security.
OR
5) The Supplier shall adhere to the Information Security Incident Response Plan agreed
with <Company> and attached in Appendix XXX.

6) The Supplier shall ensure that all the Supplier’s information assets with access to
<Company’s> or <Company’s> customers’ information assets:
a) are free of viruses and other malicious software;
b) have an anti-virus tool installed, enabled and configured to use the latest signature
files provided by the anti-virus vendor.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 43 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

7) The Supplier shall ensure that all employees, contractors or agents who require
access to <Company’s> or <Company’s> customers’ information assets sign a Non
Disclosure Agreement prior to being given access.

8) The Supplier shall ensure that all employees with access to <Company’s> or
<Company’s> customers’ information assets are provided training on the relevant
security policies and procedures prior to being given access and are provided refresher
training every year subsequently.

9) Upon written request, the Supplier shall allow <Company> to audit the Supplier's
facilities, networks, computer systems and procedures for compliance with the Supplier's
and other agreed Information Security policies and standards. <Company> may utilise a
third party to conduct the audit. Audits may include, but not be limited to, the use of
automated tools and penetration tests. <Company> shall request audits as and when
necessary, but no more than four times in any 12 month period. A minimum of 48 hours
notice shall be given prior to an audit.

10) <Optional> If the above clauses are breached:

a) <Company> reserves the right to terminate this contract, etc.
b) The Supplier shall be liable to pay penalties to <Company>, etc.

[end of contract clauses]

The following must be attached to the contract as required:

• <Company’s> Acceptable Use Policy;
• Security policy and standards documents;
• An Incident Response Plan

3.1.3 Sales and Marketing

Some of the guidelines during the sales life cycle are as follows:
o Consider the size, politics, type of industry
o Take into account the skills and knowledge of the organization’s personnel
o Consider the organization mission, goals and objectives for this project.
o Consider the risks and complexity of the service required.
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 12/25/2004 Page 44 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

o The Sales Person should understand the need for right pricing, based on the
two considerations above.
o Sales person should understand the complete assessment cycle.

3.1.4 Obtain Authorization and Make sure Right People has given it
Security assessment involves performing actions very similar, if not identical, to those
carried out by an attacker. Likewise, the security test may result in the compromise of
information systems due to which classified information may be accessed during the
test. Even in the case that an agreement exists between the security assessor and the
client, the latter may not accept, for instance, that classified information may become
revealed to the security assessor.

For these reasons it is always necessary to obtain clear authorization from the customer
to perform the security assessment. Typically, approval from the customer should be
sought in such a manner that the customer assumes responsibility for the results and
side-effects (if any) of the security assessment.

It is also very important that right person has given permission to you. Obtain it from the
appropriate management / authority. It is recommended that in every company IT
department should have process to for approval.

Such approvals should be printed on company paper (letterhead) and signed by the
responsible person(s).

Reference: Security assessment agreement in appendix

3.1.5 Define the scope of work

As part of the contract or agreement between the security assessor and the client, the
scope of the work to be done must be clearly specified. Whenever possible, loose or
ambiguous definitions should be avoided. The security assessment work will be
performed with better accuracy and its results will be more reliable when the extent of
the work is bounded.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 45 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Scope of Work
• Define Evaluation Criteria: Evaluation criteria uses metrics based on effort. E.g. N
different automated tests + M different manual tests be performed, independently
of whether those tests result in compromising the target/ vulnerability findings or
not. All the results of tests will be submitted to client.
• Define Objectives
• Define Scope areas
• Define “Out of Scope” areas

Both parties should define and agree on the scope of work. The scope of work should
clearly define, what should be done and what not, define timelines and dependencies of
the work for both parties. Areas which the scope of work should cover include:
• Complete Organization
• Specific Location(s)
• Specific Branch(es)
• Specific division(s)/Sub-division(s)
• Nature of testing (intrusive / non intrusive)
• Testing from External, Internal and or Both
• In context with Web Presence(s)
o Domain Names (DNS)
o Server Names (Internal)
o IP Addressing
• In context with Infrastructure
o Remote Access like Dial-up, VPN, Frame Relay etc…
o ATM

3.1.6 Define the “Out of Scope” Areas

After going through scope of work definitions; there must be clearly defined limitations
and conditions for assessors, which he should not violate.

Some customer prefers to have testing in off hrs (nighttime) and on weekends. It helps
them to give less impact of any downtime. Off hrs testing is only good when it is being
done in the presence of client staff; to ensure that if any downtime happens then the
staff can control it and take necessary actions.

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 46 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

3.1.7 Sign Agreement

On the basis of above mentioned points sign a formal agreement. This written
permission, often called the rules of engagement, should include two agreements: 1.
Security Assessment Agreement and 2. Non Disclosure Agreement

3.1.7.1 ASSESSMENT AGREEMENT

An assessment agreement should include:
• Scope of work
• Out of Scope work
• IP Addresses or ranges that needs to be assessed
• Any specific IP addresses / subnet, host, domain that should be restricted
• Liability for any downtime
• Time of Completion of project and indication of any delay
• The contract price, any additional charges, applicable penalties
• Payment (advance and after the project)
• Date and Time-wise schedule of assessment based on time and material or Fix bid
contract.
• Some mechanism if testing takes more than estimated time
• Source IP address of machines from where security assessment and test will be
conducted
• A mechanism for dealing with false positive in order to avoid unnecessary law
enforcement
• Contact Person(s) at the client and at your company (both phone & mobile phone
numbers as well as email addresses)
• General Provisions
o For delay/non payment
o For additional labor

Reference: Security assessment agreement in appendix

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 47 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

3.1.7.2 NON DISCLOSURE AGREEMENT

A Non Disclosure Agreement should include followings:
• Purpose
• Definition
• Non-Disclosure of Confidential Information
• Mandatory Disclosure
• Return of Materials
• No License Granted
• Term
• Miscellaneous
• Governing Law and Jurisdiction
• Remedies

Reference: Non Disclosure agreement in appendix

3.1.8 Team Composition

Consider efficiency and accountability and compose a team of domain experts, as per
the scope of work. Security assessment can be achieve much better with specialized
team members' then having one person doing everything. Different team members bring
different set of skills together. Some team member may have skills to break into systems
but may not know firewall/IDS security assessment. Quite often it is seen, people who
are good into breaking into system are not quite good at putting test result in an
appropriate format for report and also do not like taking notes of their work.

3.1.9 Commercials
Based on the type of engagement, scope, skill set requirements and complexity of the
system, the commercials can be worked out. The type of calculation may vary for time
and material/Fixed bid model.

3.1.10 Maintain confidentiality of customer data - before start of Project

In preparation for the security assessment job, the assessor may require information
from the client in order to carry out the tests, such as network infrastructure diagrams, IP
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 12/25/2004 Page 48 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

addresses, location of customer premises, contact information for people in the

organization, existence and location of network access points, vendor of network and IT
systems, among other types of information.

This information may be confidential, and it is the security assessor's duty to ensure that
any such information handled throughout the project will be treated according to its
classification within the customer organization.

3.1.11 Access Point Identification

It is of paramount importance that the access points chosen for conducting a security
assessment represent all the possible threats, threat agents and possible business risk.
The choice of access points along with a good cross section sample of devices is
imperative for correct determination of threat to the facility and Information Systems.
Based on given low level network architecture design and with the help of customer
technical representatives choose the access points to represent various threat agents
such as “internet”, “operators/customers”, internal etc. Along with the threat agents, test
the network layer by layer as per the methodology. The generalized division of the
network in layers is as follows:

The above segments/components were tested from viewpoint of threat agents as “the
internet”, “administrator” and as “customer” etc…

Here we are taking a very common network architecture design and based on that we
will identify access points for testing.

3.1.11.1 LAYERED NETWORK ARCHITECTURE DESIGN

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 49 of 1054
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Switch Block Switch Block

IDS IDS
C

IDS

Management WAN Block

Block IDS IDS

IDS

Server
Internet
IDS

© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)

Date: 12/25/2004 Page 50 of 1054
Exploring the Variety of Random
Documents with Different Content
Mao was much surprised to see the way in which he was received, and
found great delight in watching the young girl, who prepared every thing
with tripping step, singing the while like a very lark.

At last, when supper was over, and Liçzenn,—for so the old man called his
grandchild,—had cleared all away, he said to Mao,

“We have treated you to the best of our ability, and according to our means,
young man, though not according to our wishes; for the mansion of the
Trehouars has been long afflicted by a most grievous plague. Formerly you
might have counted twenty horses, and full forty cows, here; but the evil
spirit has taken possession of the stalls and stables; cows and horses have
disappeared one after another, and that as often as they have been replaced,
until the whole of my savings have been thus consumed. All religious
services to rid us of this destructive demon have hitherto failed. There has
been nothing for us but to submit; and for want of cattle my whole domain
now lies uncultivated. I had put some confidence in my nephew Matelinn,
who is gone to the war in France; but as he does not return, I have given
notice throughout the country, both from the altar and elsewhere, that the
man who can deliver the manor from this curse shall both marry Liçzenn,
and inherit my property after me. All those who have hitherto made the
attempt, by lying in wait in the stables, have disappeared like the cows and
horses. I pray God that you may be more fortunate.”

Mao, whom the remembrance of his vision secured against all fear, replied
that, by the aid of the Blessed Virgin, he hoped to triumph over the hidden
foe. So, begging that he might have a fire to keep him warm, he took his
club-stick, and went forth.

The place to which he was conducted was a very large shed, divided in two
parts for the use both of the cows and horses; but now all was empty from
one end to the other, and the cobwebs hung in thick festoons from the racks.

Mao kindled a fire of broom upon the broad paving-stones, and began to
pray.
The first quarter of an hour he heard nothing but the crackling of the flame;
the second quarter of an hour he heard nothing but the wind that whistled
mournfully through the broken door; the third quarter of an hour he heard
nothing but the little death-watch tapping in the rafters overhead; but the
fourth quarter of an hour, a dull sound rumbled beneath the pavement; and
at the further end of the building, in the darkest corner, he saw the largest
stone rise slowly up, and the head of a dragon coming from below. It was
huge as a baker’s kneading-trough, flattened like a viper’s, and all round the
forehead shone a row of eyes of different colours.

The beast raised his two great fore-feet armed with scarlet claws upon the
edge of the pavement, glared upon Mao, and then crept hissing from his
hole. As he came on, his scaly body could be seen unrolling from beneath
the stone like a mighty cable from a ship’s hold.

Courageous as was the youth, at this spectacle his blood ran cold; and just
as he began to feel the dragon’s breath, he cried aloud,

“Dead beggar, make haste, make haste to me;

For I am sorely in need of thee.”

In an instant the shining form he had invoked was at his side.

“Fear nothing,” said the saint; “those who are protected by the Mother of
God are always victorious over the monsters of the earth. Raise your club
and lay the dragon dead at your feet;” and with these words he raised his
hand, pronouncing some words that can only be heard in heaven. Mao
aimed a fearful blow at the dragon’s head, and that very moment the huge
monster sank dead upon its side.

The next morning, when the sun rose, Mao went to awaken all the people at
the manor, and led them to the stables; but at sight of the dead monster even
the most courageous started back at least ten paces.

“Do not be afraid,” said the young man; “the Blessed Mother came to my
assistance, and the beast that fed on cattle and their guardians is nothing
now but lifeless clay. Only fetch some ropes, and let us drag it from this
place to some lonely waste.”

So they did as he desired; and when the dragon was drawn forth from his
den, the whole length of his body was so great that it extended twice round
the black-wheat barn-floor.1

The old man, happy in his deliverance from so dangerous an enemy,

fulfilled the promise he had made to Mao, and gave to him Liçzenn in
marriage. She was led to church at Camfront, her left arm circled, after the
custom of the country, by as many rows of silver-lace as there were
thousands of francs in her dowry; and the story goes that she had eighteen.

As soon as he was married, Mao bought cattle, hired servants, and soon
brought the land about the manor to a more flourishing condition than it had
ever known before.

Then went the grandfather to seek his recompense from God, and left all
that he possessed to the young couple.

So happy were they in each other and themselves, that no baptised creature
ever felt the like,—so happy, that when they knelt in prayer, they could
think of nothing to request from God that He had not already blest them
with; so they had nothing to do but to thank Him. But one day, as they were
sitting down to supper with their servants, one of their attendants introduced
a soldier, so tall that his head reached the rafters; and Liçzenn knew him for
her cousin Matelinn. He had come back from the French war to marry his
cousin; and learning what had come to pass during his absence, he had felt
the bitterest rage. Nevertheless, he betrayed nothing of his thoughts to Mao
and his wife; for his was a deceitful heart.

Mao, who suspected nothing, received him with affectionate kindness; set
before him the best of every thing in the house; had the handsomest room
prepared for his reception; and went out to show him all the fields, now ripe
for harvest.
But the higher Matelinn saw the flax, and the heavier the ears of corn, the
more he was enraged at not being the possessor of all this; to say nothing of
his cousin Liçzenn, who had grown more charming than ever. So one day
he proposed to Mao that they should hunt together on the downs of
Logoma, and thus contrived to lead him towards a distant heath, where he
had an old deserted windmill, against which bundles of furze for the baker’s
oven at Daoulas had been heaped up in great piles. When they reached this
place, he turned his face towards Camfront, and said suddenly to his young
companion,

“Ah! I can see the manor all this way off, with its great courtyard.”

“Which way?” asked Mao.

“Behind that little beech-wood. Don’t you see the great hall-windows?”

“I am too short,” said Mao.

“Ah, you are right, so you are; and it is a pity too, for I can see my cousin
Liçzenn in the little yard beside the garden.”

“Is she alone?”

“No; there are some gentlemen with her whispering in her ear.”

“And what is Liçzenn doing?”

“Liçzenn is listening to them, whilst she twists her apron-string.”

Mao raised himself upon the tips of his toes. “Ah, I wish I could see,” said
he.

“Oh, it is easy enough,” replied Matelinn “you have only to climb up to the
top of the mill, and you will be higher than I am.”

Mao approved of this advice, and climbed up the old ladder. When he
reached the top, his cousin asked him what he saw?
“I see nothing but the trees, which seem as near the ground as wheat of two
months’ growth,” said Mao, “and houses looking in the distance small as
the sea-shells stranded on the shore.”

“Look nearer,” returned Matelinn.

“Nearer, I can only see the ocean, with its boats skimming the water like
seagulls.”

“Look nearer yet,” said the soldier.

“Still nearer is the common, bright with rose-blossoms and the purple
heath.”

“Look down beneath you.”

“Beneath me!” cried Mao, in terror. “Instead of the ladder to descend by, I
see flames rushing upwards to devour me.”

And he saw rightly; for Matelinn had drawn away the ladder, and set fire to
the surrounding fagots, so that the old mill stood as in a furnace.

Mao in vain besought the giant not to leave him there to perish in so
horrible a manner. He only turned his back, and went off whistling down
the moor.

Then the young man, feeling himself nearly suffocated, invoked the saint
once more:

“Dead beggar, make haste, make haste to me;

For I am sorely in need of thee.”

Instantly the saint appeared, holding in his right hand a glittering rainbow,
one end of which was resting on the sea, and in his left Jacob’s mysterious
ladder, that once led from heaven to earth. With the rainbow he put out the
fire, and by the ladder’s aid poor Mao reached the ground, and went safely
home.
On beholding him, Matelinn was seized with surprise and consternation,
sure that his cousin would hasten to denounce him before the magistrates;
and rushing to fetch his arms and war-horse, was hurrying from the
courtyard, when Mao came to him, and said,

“Fear nothing, cousin; for no man saw what passed upon Daoulas common.
Your heart was hurt that God had given me more good things than yourself;
I wish to heal its wounds. From this day forward, so long as I live, you shall
share with me half of all that I possess, save and except my darling Liçzenn.
So come, my cousin, harbour no more evil thoughts against me.”

The deed of this convention was drawn up by the notary in the usual form;
and Matelinn received henceforward, every month, the half of all the
produce of the fields, the courtyard, and the stables.

But this noble generosity of Mao served only to increase the spite and
venom of his heart; for undeserved benefits are like wine drank when one is
not thirsty,—they bring us neither joy nor profit. He did not wish Mao dead,
because then he would have lost his share in Mao’s wealth; but he hated
him, even as a caged wolf hates the hand that feeds him.

What made him still more angry was, to see how every thing prospered
with his cousin. To crown his felicity, he had a son born to him, both strong
and beautiful, and one that wept not at his birth, the nurses said. Mao sent
the news out to the first people of the neighbourhood, entreating them to
come to the baptismal feast. And they came from more than six leagues
round,—from Braspars, Kimerc’h, Loperek, Logoma, Faou, Irvillac, and
Saint Eloi,—all mounted on handsomely-equipped horses, with their wives
or daughters behind them. The baptism of a prince of Cornouaille himself
could not have brought together a more goodly assembly.

When all were drawn up ready in the front of the manor-house, and Mao
came to Liçzenn’s chamber for the new-born babe, with those who were to
hold it at the font, and his nearest friends, Matelinn presented himself also,
with a traitor’s joy depicted on his countenance. On seeing him, the mother
uttered a cry; but he, approaching, bent over her with specious words, and
thanked her for the present she had made him.

“What present?” asked the poor woman, in surprise.

“Have you not added a new-born infant to my cousin’s wealth?” said the
soldier.

“Certainly,” replied Liçzenn.

“A parchment deed confirms to me,” said Matelinn, “half of every thing

Mao possesses, save and except yourself; and I am consequently come to
claim my share of the child.”

All who were present uttered a great cry; but Matelinn repeated calmly that
he would have his half of the child; adding that if they refused it to him, he
would take it himself, showing as he spoke a huge knife, which he had
brought with him for the purpose.

Mao and Liçzenn in vain, with bended knees and folded hands, besought
him to renounce his rights; the giant only answered by the whetting of his
knife against the steel which dangled at his waist; and at last he was about
to snatch the infant from its poor young mother’s arms, when Mao all at
once recalled the invocation to the dead beggar, and repeated it aloud.
Scarcely had he finished, when the room was lighted with a heavenly
radiance, and the saint appeared upon a shining cloud, the Virgin Mary at
his side.

“Behold me here, my friends,” said the Mother of God, “called by my

faithful servant from celestial glory to come and decide between you.”

“If you are the Mother of God, save the child,” cried Liçzenn.

“If you are the Queen of Heaven, make them render me my dues,” said
Matelinn audaciously.
“Listen to me,” said Mary. “You first, Mao, and you, Liçzenn, come near
me with your new-born child. Till now I have given you the joys of life; I
will do more, and give you for the future the delights of death. You shall
follow me into the Paradise of my Son, where neither griefs, nor treachery,
nor sicknesses can enter. As for you, Goliath, you have a right to share the
new benefit conferred on them; and you, like them, shall die, but only to go
down twelve hundred and fifty leagues below the surface of the earth,2 into
the kingdom of the wicked one, whose servant you are.”

Saying these words, the Holy Mary raised her hand on high, and the giant
was buried in a gulf of fire; whilst the young husband, with his wife and
child, sank gently towards each other as in peaceful sleep, and disappeared,
borne upwards on a cloud.

1 In many farms there is a small threshing-floor reserved especially for black wheat.
2 This is the exact distance at which the Bretons define Hell to lie.
Keris.

In the olden times a king named Grallon reigned over the land of
Cornouaille. He was as good a man as any son of Adam, and gave a cordial
welcome at his court to all who had in any way distinguished themselves,
were they plebeian or noble in their birth. Unfortunately his daughter was
an ill-conducted princess, who, in order to evade his parental rule, had taken
herself off to live at Keris, some few leagues from Quimper.

One day, whilst King Grallon was out hunting in a forest at the foot of
Menéhom, he and all his followers lost their way, and came at last before
the cell of the holy hermit Corentin. Grallon had often heard tell of this
saintly man, and was delighted to find he had discovered his retreat; but as
for the attendants, who were dying with hunger, they looked with any thing
but satisfaction upon the humble cell, and whispered discontentedly
amongst themselves that they should certainly have to sup on pious prayers.

Corentin, enlightened by God’s grace, perceived their thoughts, and asked

the king whether he would accept a little refreshment. Now Grallon, who
had eaten nothing since cockcrow that morning, was extremely willing; so
the saint, calling the king’s cupbearer and cook, desired them to prepare his
majesty a good repast after his long abstinence.

Then, leading them both to a fountain which bubbled near his cell, he filled
with water the golden pitcher carried by the first, and cut a morsel from a
little fish swimming in the basin, which he gave to the second, desiring
them both to spread the board for the king and all his train. But the
cupbearer and the cook began to laugh, and asked the holy man if he could
possibly mistake the king’s courtiers for miserable beggars, that he
presumed to offer them his scraps of fish-bone and his frog-wine. Corentin
quietly besought them not to be disturbed, for that God would provide for
all.
Consequently they resolved to follow out the saint’s directions, and found,
to their astonishment, his words come true. For while the water he had
poured into the golden pitcher came out a wine as sweet as honey and as hot
as fire, the morsel of fish became an ample meal for twice as many guests
as the king’s suite contained.

Grallon was told by his two servants of this miracle; and they moreover
showed him, as a greater wonder, the very same little fish from which
Corentin had cut a portion, swimming safe and sound in the fountain, as
whole as if the saint’s knife had never come near him.

At this sight the King of Cornouaille was struck with admiration, and
exclaimed to the hermit, “Man of God, this place is not for you; for He who
is my Master as well as yours has forbidden us to hide a light beneath a
bushel. You must leave this hermitage, and come with me. You shall be
Bishop of Quimper, my palace shall be your dwelling-place, and the whole
city your possession. I will build a monastery for your disciples at
Landevenec, and the abbot shall be chosen by yourself.”

The good king kept his promise; and giving up his capital to the new
Bishop, he went to dwell himself in the town of Is.

This town then stood upon the very spot now covered by the Bay of
Douarnénèz. It was so large and so beautiful, that when the people of old
times were seeking for a title worthy of the capital of France, they could
find nothing better than to call it Par-is, that is to say, The like of Is. It was
lower than the sea itself, and was defended from all fear of inundation by
huge dikes, with doors to open occasionally and let the tide in or out.
Grallon’s daughter, the Princess Dahut, carried the silver keys which locked
these doors suspended round her neck, from which fact the people generally
called her Alc’huèz, or more shortly Ahèz.1 Now she was a great magician,
and had adorned the town with numberless works of art far surpassing the
skill of any human hand. All the Korigans2 throughout Cornouaille and
Vannes had assembled at her call to make the dikes and forge the iron
doors; they had plated the palace all over with a metal resembling gold
(Korigans being clever workers in metal), and had fenced in the royal
gardens with balustrades glittering like polished steel.

They it was that kept Dahut’s beautiful stables in such perfect order,—those
stables that were paved with black, red, or white marble, according to the
different colours of the horses in the stalls. And to the Korigans also was
intrusted the care of the harbour, where the sea-dragons were kept; for by
her powerful art had Dahut gained a wonderful ascendency over the
monsters of the deep, so that she had placed one at the disposal of each
inhabitant of Keris, that it should serve him like a horse, on which he might
safely go across the waves to fetch rich treasure from another shore, or to
attack the ships of foreign enemies. So these citizens were rich to that
degree they actually measured out their corn in silver vessels. But wealth
had hardened and perverted their hearts; beggars were hunted like wild-
beasts from the city, for they could not endure the sight of any in their
streets but merry prosperous folks dressed out in smart apparel. Our Lord
Himself, had He appeared amongst them clad in sackcloth, would have
been driven away. The only church remaining in the city was so forsaken,
that the very beadle had lost the key of it; nettles grew upon its steps, and
against the door-posts of the principal entrance birds had built their nests.
The people of the place spent their days and nights in public-houses,
dancing-rooms, or theatres; the one only object of their lives being
apparently to ruin their immortal souls.

As for Dahut, she set them the example; day and night it was a gala in the
palace. Gentlemen, nobles, and princes came from the remotest lands to
visit this far-famed court. Grallon received them with courtesy, and Dahut
with something more. If they were good-looking, she bestowed on them a
magic mask, by means of which they were enabled to keep private
appointments with her in a tower standing near the floodgates.

There they might remain talking with her until the hour when the sea-
swallows, beginning their flight, passed before the tower-windows; when
Dahut hastily bade them farewell, and, in order that they might go out, as
they came, unseen, she once more brought forth her magic mask; but, alas,
this time it closed upon them of its own accord with a strangling embrace.
Then a black man took up the dead body, threw it across his horse like a
sack of wheat, and went to fling it down the precipice between Huelgoat
and Poulaouën. This is indeed only too true; for even to this day can be
heard from the depths of the ravine the melancholy wailing of these
wretched souls at evening hour. May all good Christians bear them in
remembrance at their prayers!3

Corentin, who heard of all the goings-on at Keris, had many a time warned
Grallon that the forbearance of God was drawing to a close;4 but the king
had lost all his power, and dwelt quite solitary in one wing of his palace,
like a grandfather who has made over all his property to his heirs; and as for
Dahut, she cared nothing for the threats or warnings of the saint.

Well, one evening, when she was keeping festival as usual, she was
informed that a powerful prince from the very ends of the earth had arrived
to see her, and he was instantly announced.

He was a man of vast stature, clad from head to foot in scarlet, and so
bearded that even his two eyes, glittering as stars, could scarcely be seen.
He began by paying compliments in rhyme to the princess—no poet or
minstrel could have conceived the like; and then he went on talking with
such brilliant wit, that the entire assembly were struck dumb with
astonishment. But what moved the friends of Dahut with the greatest
wonder was to find how far more skilful than themselves this stranger was
in sin. He was familiar, not only with all that human malice has invented
since the creation of the world, in every region where mankind has dwelt,
but with all that it ever shall invent until the moment when the dead shall
rise again from their cold graves to stand before the judgment-seat of God.
Ahèz and her court perceived that they had found their master, and one and
all resolved to put themselves under the teaching of the bearded prince.

By way of beginning, he proposed to them a new dance, danced in hell by

the Seven Deadly Sins. So he called in for the purpose a musician he had
brought with him. This was a little dwarf, clad in goat-skin, and carrying a
sort of bagpipe under his arm.
Scarcely had he begun to play before Dahut and her courtiers were seized
with a sort of frenzy, and began to whirl about like the waves of the sea in a
furious storm. The stranger instantly took advantage of the confusion to
snatch the silver keys of the floodgates from the princess’s neck, and to
vanish from the saloon.

Meanwhile Grallon sat all solitary in the great gloomy hall of his own
lonely palace. He was near the hearth; but the fire was almost out. His heart
grew every moment more and more heavy with sad thoughts, when all at
once the great folding-doors flew open, and St. Corentin appeared upon the
threshold, with a halo of glory round his brow, his pastoral staff in his hand,
and a cloud of incense floating all about him.

“Rise, great king,” said he to Grallon; “take whatever precious things may
still be left you, and flee away; for God has given over to the power of the
demon this accursed city.”

Grallon, terrified, started up; and calling to some faithful old servants, took
what treasure he possessed; and mounting his black horse, followed after
the saint, who shot like an arrow through the air.

As they passed before the dikes, they heard a wild roar of waters, and
beheld the bearded stranger, now restored to his own demoniac form,
opening the floodgates with the silver keys he had taken from the Princess
Dahut. The sea already streamed like a torrent on towards the devoted city;
and the white waves, rearing their foamy crests above the lofty roofs,
seemed rushing to its overthrow. The dragons chained within the harbour
roared with terror, for even the beasts could feel their end at hand.

Grallon would fain have uttered a cry of warning, but St. Corentin once
more entreated him to fly, and he plunged onwards at full gallop towards
the shore; on, on through streets and squares and high roads, ever followed
by the raging ocean, with the horse’s hind hoofs always in the surge. So
passed he by the palace of Dahut herself, who darted down the marble
steps, her wild locks floating on the breeze, and sprang behind her father on
the saddle. The horse stood still suddenly, staggered, and already the water
mounted to the old king’s knees.

“Help, help, St. Corentin!” he cried in terror.

“Shake off the iniquity you carry at your back,” replied the saint, “and, by
the help of God, you shall be saved.”

But Grallon, who was, after all, a father, hesitated what to do. Then St.
Corentin touched the princess on the shoulders with his pastoral staff, and
she sank downwards to the sea, disappearing in the depths of the gulf,
called after her the Gulf of Ahèz.

The horse, thus lightened of his load, made a spring forwards, and so gained
Garrec Rock, where to this very day may be seen the print-marks of his iron
shoes.5

The first act of the king was to fall upon his knees, and pour forth thanks to
God; then turning towards Keris,6 he tried to judge how great was the
danger from which he had been so miraculously rescued, but in vain he
sought the ancient Queen of Ocean.

There, where had stood but a few moments before a harbour, palaces,
treasures of wealth, and thousands of people, was to be seen nothing now
but a smooth bay, on whose unruffled surface the stars of heaven looked
calmly down; but beyond, in the horizon, just over the last ruins of the
submerged dikes, there appeared the great red man, holding up with a
triumphant air the silver keys.

Many are the forests of oak that have sprung up and withered since this
awful warning; but through every generation fathers have told it to their
children until this day. Up to the time of the great Revolution, the clergy of
the different river-side parishes were wont to embark every year in fisher-
boats, and go to say Mass over the drowned city. Since that time this
custom has been lost, with many another one; but when the sea is calm, the
remains of the great town may clearly be seen at the bottom of the bay, and
the neighbouring downs are full of relics which bear witness to its wealth.

1 Good or bad, these etymologies of Ahèz and Par-is are accepted by the Bretons. The
last word is even treasured in a proverb,
“Since the town of Is was drowned,
The like of Paris is not found.”
2 See the Korigans of Plauden, p. 31.
3 This legend still finds credence. The spot is shown, not far from Carhaix, whence
Grallon’s daughter caused her lovers’ bodies to be thrown; and some antiquaries are also of
opinion that Dahut often visited this town, which has received from her its name of Ker-
Ahèz (town of Ahèz); at any rate, the old paved road which leads from the Bay of
Douarnénèz to Carhaix proves beyond a doubt that there was frequent intercourse between
Keris and this city.
4 All that follows is more properly ascribed to St. Corentin’s disciple Gwenolé.
5 The peasantry still show the marks.
6 There appears to exist incontestable evidence of a city named Is lying buried beneath
the Bay of Douarnénèz; and the relics which have been discovered from time to time prove
beyond all doubt that art had been brought to very high perfection in those early times. It
was supposed to date about the fourth century.
The Stones of Plouhinec.

Plouhinec is a poor little market-town beyond Hennebon, towards the sea.

Bare commons or little fir-woods stretch all round it, and enough grass to fit
an ox for the butcher’s knife, or so much bran as would fatten one
descendant of the Rohans,1 has never yet been yielded by the entire parish.

But if the people of those parts have reason to complain for want of corn
and cattle, they abound in flints to that degree that they could furnish
materials for the rebuilding of Lorient; and out beyond the town there lies a
great wide common, whereon are set by Korigans two rows of tall stones
that might be taken for an avenue, did they but lead to any thing.

Near this place, hard by the banks of the River Intel, there lived in former
days a man named Marzinne. He was wealthy for those parts, that is to say,
he could salt down a little pig once a year, eat as much black bread as he
cared for, and buy himself a pair of wooden shoes when Laurel Sunday
came round.2

And he was looked upon as proud by his neighbours, and had taken upon
him to refuse the hand of his sister Rozenn to many a young fellow who
laboured for his daily bread.

Amongst others to Bernèz, a diligent labourer and a worthy Christian; but

one whose only treasure, coming into life, had been that of a good will.
Bernèz had known Rozenn as a little girl, when he first came to work in the
parish from Ponscorff-Bidré; and by degrees, as Rozenn grew up, the
attachment of Bernèz had grown stronger and stronger.

It may be easily believed that Marzinne’s refusal was a terrible heartsore for
him; nevertheless he kept up his courage, for Rozenn always received him
kindly.
Well, Christmas-eve came round; and as a raging storm kept every one at
the farm from going to the midnight Mass, they all sat round the fire
together, with many young men from the neighbourhood, and amongst them
Bernèz. The master of the house, willing to show off, had caused a supper
of black-puddings, and hasty puddings made with wheat flour and honey, to
be prepared; so that they all sat gazing towards the hearth, except Bernèz,
whose eyes were fixed upon Rozenn.

But just as all the benches were drawn round the table, and every wooden
saucer ready to be dipped into the steaming bowl, an old man suddenly
pushed open the door, and wished the assembled company a good appetite.
He was a beggar from Pluvigner, one who never set his foot on the church-
floor, and of whom all good folks stood in dread. It was said that he
bewitched cattle, turned standing corn black, and sold to wrestlers magic
herbs. He was even suspected of becoming a goblin3 at his pleasure.

However, wearing as he did the garb of a mendicant, he was welcomed by

the farmer to the fireside; a three-legged stood was placed at his disposal,
and he received a portion with the guests.

When the beggar had done eating and drinking, he asked for a night’s
lodging, and Bernèz showed him his way into the stable, where a bald old
ass and sorry ox were already established. The beggar stretched himself
down between the two to share their warmth, and rested his head upon a
pillow of turf.

But just as he was dropping off to sleep the clock struck twelve. Then the
old ass shook his long ears, and turned towards the ox.

“Well, my cousin,” said he, in friendly tones, “and how has it gone with you
since last Christmas, when we talked together?”

Instead of answering, the horned beast looked sideways at the beggar, and
muttered,

“It was hardly worth while for the Almighty to vouchsafe us speech
together on a Christmas-eve, and thus to acknowledge the assistance
rendered by the presence of our ancestors at the birth of the Saviour, if we
are compelled to put up with this fellow as our auditor.”

“You are very proud, my friend,” answered the ass gaily. “It is I rather who
have reason to complain, I, whose noble ancestor once carried the Saviour
to Jerusalem, proved by the cross imprinted ever since upon the shoulders
of our family. But I can be well satisfied with whatever Providence has seen
fit to grant me. Besides which, you see well enough that the sorcerer is
asleep.”

“All his witchcrafts have been powerless to enrich him,” said the ox; “and
he has thrown his soul away for little enough. The devil has not even hinted
to him of the lucky chance he might have hereabouts in the course of a few
days.”

“What lucky chance?” asked the ass.

“How!” cried the ox; “don’t you know, then, that each hundred years the
stones on Plouhinec Common go down to drink at the river Intel, and that
whilst away the treasures they conceal are left exposed?”

“Ah, I remember now,” interrupted the ass, “but then the stones return so
quickly to their places, that it is impossible to avoid being crushed to pieces
by them if you have not as your safeguard a twig of cross-wort surrounded
by the five-leaved clover.”

“And besides,” continued the ox, “the treasures you may carry off all fade
to dust unless you offer in return a baptised soul. A Christian must suffer
death before the devil will permit you to enjoy in peace the wealth of
Plouhinec.”

The beggar was not asleep, but had listened breathless to this conversation.

“Ah, my good friends,” thought he to himself, “you have made me richer

than the wealthiest in all Vannes or Lorient. Be easy; the sorcerer of
Pluvigner shall not lose Paradise for nothing.”
He slept at last; and rising at the break of day, he wandered through the
country seeking for the cross-wort and the five-leafed clover.”

He was forced to look long and wander far, where skies are milder and
plants always green, before he was successful. But on the eve of New-
Year’s Day he came again to Plouhinec, with the countenance of a weasel
that has just found out the entrance to a dovecote.

In crossing the common, he came upon Bernèz busy striking with a pointed
hammer on the tallest of the stones.

“Heaven preserve me!” cried the sorcerer, laughing, “are you anxious to dig
yourself a dwelling in this rocky mass?”

“No,” answered Bernèz quietly; “but as I am just now out of work, I

thought that perhaps if I carved a cross upon one of these accursed stones, I
should perform an act agreeable in the sight of God, and one that may stand
me in good stead some other day.”

“Then you have something to ask of Him?” said the old man.

“All Christians need to beg from Him salvation for their souls,” replied the
youth.

“And have you nothing too to say to Him about Rozenn?” pursued the
beggar, in a lower voice.

Bernèz looked full at him.

“Ah, you know that?” said he. “Well, after all, there is no shame or sin in it.
If I seek for the maiden, it is that I may lead her to the presence of the
priest. Unhappily Marzinne is waiting for a brother-in-law who can count
more reals than I have silver coins.”

“And if I could put you in the way of having more louis-d’or than Marzinne
has reals?” said the sorcerer in an under-tone.
“You!” cried Bernèz.

“I!”

“And how much do you ask for this?”

“Only to be remembered in your prayers.”

“Then there will be nothing that can compromise my soul?”

“Only courage is required.”

“Tell me, then, what must be done,” cried Bernèz, letting fall his hammer.
“If needs be, I am ready to encounter any difficulty.”

The beggar, seeing him thus disposed, related how that on that very night
the treasures of the common would be all exposed; but he said nothing at
the same time of the way by which the stones were to be avoided as they
came trooping back. The young fellow thought nothing was wanting but
boldness and a swift step; so he said,

“As sure as I am a living man I will profit by this opportunity, old man; and
I shall always be at your service for the notice you have given me of this
great chance. Only let me finish the cross I have begun engraving on this
stone; when the time comes, I will join you near the little pine-wood.”

Bernèz kept his word, and arrived at the appointed place an hour before
midnight. He found the beggar carrying a wallet in each hand, and one
suspended round his neck.

“Come,” said he to the young man, “sit down there, and think of all that you
will do when you have silver, gold, and jewels to your heart’s content.”

The young man sat down on the ground and answered, “If I have silver to
my heart’s content, I will give my gentle Rozennik4 all that she wishes for,
and all that she can wish for, from linen to silk, from bread to oranges.”
“And if you have gold?” added the sorcerer.

“If I have gold at will,” replied the youth, “I will make wealthy all my
Rozennik’s relations, and all the friends of her relations, to the utmost limits
of the parish.”

“And if at last you should have jewels in plenty?” continued the old man.

“Then,” cried out Bernèz, “I would make all the people in the world happy,
and I would tell them it was my Rozennik’s desire.”

Whilst talking thus, the hour slipped away, and midnight came.

At the same instant a great sound arose upon the heath, and by the light of
the stars all the huge stones might be seen leaving their places, and hurrying
towards the river Intel. They rushed down the slope, grazing the earth as
they went, and jostling each other like a troop of drunken giants. So they
swept pell-mell past the two men, and were lost in darkness.

Then the beggar flew towards the common, followed by Bernèz; and there,
in the very spots where just before huge stones had reared themselves, they
now saw large holes piled to the brim with gold, with silver, and with
precious stones.

Bernèz uttered a cry of admiration, and made the sign of the cross; but the
sorcerer made haste to cram all his wallets, turning meanwhile an attentive
ear towards the river’s bank.

He had just finished lading the third bag, whilst the young man stuffed the
pockets of his linen vest, when a dull sound like that of an approaching
storm was audible in the distance.

The stones had finished drinking, and were coming back once more.

They rushed, stooping forwards like runners in a race, and bore down all
before them.
When the youth perceived them, he started upright, and exclaimed,

“Ah, Blessed Virgin, we are lost!”

“I am not,” said the sorcerer, taking in his hand the cross-wort and the five-
leaved clover, “for I have that here which will secure my safety; but a
Christian must be sacrificed to make good all these treasures, and the bad
angel put thee in my way. So give up Rozenn, and prepare to die.”

While yet he spoke the stony army was at hand; but holding forth his magic
nosegay, they turned aside to right and left to fall upon Bernèz. He, feeling
sure that all was over for him, sank down upon his knees and closed his
eyes; when the great stone that led the troop stopped all at once, and barring
the way, set itself before him as a protecting rampart.

Bernèz, astonished, raised his head, and recognised the stone on which his
hand had traced a cross. Being thenceforward a baptised stone, it could
have no power to harm a Christian.

Remaining motionless before the young man until all its fellows had
regained their places, it then rushed forwards like a sea-bird to retake its
own, and met upon its way the beggar hampered with his three ponderous
bags of gold.

Seeing it advance, he would have defied it with his magic plants; but the
stone, become Christian, was no longer subject to the witchery of the
demon, and hurrying onwards, crushed the sorcerer like an insect.

Bernèz had not only all his own collection, but the three full wallets of the
mendicant, and became thus rich enough to wed his Rozenn, to bring up a
numerous family, and to succour his relations, as well as the poor of the
whole country around, to the end of his long life.

1 The pigs in Brittany are called, no one knows why, mab-rohan, sons of Rohan.
2 Easter Sunday. So called because blessed laurel is distributed at church upon this day.
3 Gobelinn. None other than the loup-garou, or were-wolf.
4 ‘Rozennik’ is the diminutive of Rosenn; so ‘Guilcherik,’ “Korils of Plauden,” p. 43.
Teuz-a-pouliet;1 or, the Dwarf.

The vale of Pinard is a pleasant slope which lies behind the city of Morlaix.
There are plenty of gardens, houses, shops, and bakers to be found there,
besides many farms that boast their ample cowsheds and full barns.

Now, in olden times, when there was neither conscription nor general
taxation, there dwelt in the largest of these farms an honest man, called
Jalm Riou, who had a comely daughter, Barbaik. Not only was she fair and
well-fashioned, but she was the best dancer, and also the best drest, in all
those parts. When she set off on Sunday to hear Mass at St. Mathieu’s
church, she used to wear an embroidered coif, a gay neckerchief, five
petticoats one over the other,2 and silver buckles in her shoes; so that the
very butchers’ wives were jealous, and tossing their heads as she went by,
they asked her whether she had been selling the devil her black hen.3 But
Barbaik troubled herself not at all for all they said, so long as she continued
to be the best-dressed damsel, and the most attractive at the fair of the
patron saint.

Barbaik had many suitors, and among them was one who really loved her
more than all the rest; and this was the lad who worked upon her father’s
farm, a good labourer and a worthy Christian, but rough and ungainly in
appearance. So Barbaik would have nothing to say to him, in spite of his
good qualities, and always declared, when speaking of him, that he was a
colt of Pontrieux.4

Jégu, who loved her with all his heart, was deeply wounded, and fretted
sorely at being so ill-used by the only creature that could give him either
joy or trouble.

One morning, when bringing home the horses from the field, he stopped to
let them drink at the pond; and as he stood holding the smallest one, with
his head sunk upon his breast, and uttering every now and then the heaviest
sighs, for he was thinking of Barbaik, he heard suddenly a voice proceeding
from the reeds, which said to him,

“Why are you so miserable, Jégu? things are not yet quite so desperate.”

The farmer’s boy raised his head astonished, and asked who was there.

“It is I, the Teuz-à-pouliet,” said the same voice.

“I do not see you,” replied Jégu.

“Look closely, and you will see me in the midst of the reeds, under the form
of a beautiful green frog. I take successively whatever form I like, unless I
prefer making myself invisible.”

“But can you not show yourself under the usual appearance of your kind?”

“No doubt, if that will please you.”

With these words the frog leaped on one of the horses’ backs, and changed
himself suddenly into a little dwarf, with bright green dress and smart
polished gaiters, like a leather-merchant of Landivisiau.

Jégu, a little scared, drew back a step or two; but the Teuz told him not to be
afraid, for that, far from wishing him harm, he was ready to do him good.

“And what makes you take this interest in me?” inquired the peasant, with a
suspicious air.

“A service which you rendered to me the last winter,” said the Teuz-à-
pouliet. “You doubtless are aware that the Korigans of the White-Wheat
country and of Cornouaille declared war against our race, because they say
we are too favourably disposed to man.5 We were obliged to flee into the
bishopric of Léon, where at first we concealed ourselves under divers
animal forms. Since then, from habit or fancy, we have continued to assume
them, and I became acquainted with you through one of these
transformations.”
“And how was that?”

“Do you remember, three months ago, whilst working in the alder-park,
finding a robin caught in a snare?”

“Yes,” interrupted Jégu; “and I remember also that I let it fly, saying, ‘As
for thee, thou dost not eat the bread of Christians: take thy flight, thou bird
of the good God.’”

“Ah, well, that robin was myself. Ever since then I vowed to be your
faithful friend, and I will prove it too by causing you to marry Barbaik,
since you love her so well.”

“Ah, Teuz-à-pouliet, could you but succeed in that,” cried Jégu, “there is
nothing in this world, except my soul, that I would not bestow upon you.”

“Let me alone,” replied the dwarf; “yet a few months from this time, and I
will see you are the master of that farm and of the maiden too.”

“And how can you undertake that?” asked the youth.

“You shall know all in time; all you have to do just now is to smoke your
pipe, eat, drink, and take no trouble about any thing.”

Jégu declared that nothing could be easier than that, and he would conform
exactly to the Teuz’s orders; then, thanking him, and taking off his hat as he
would have done to the curé or the magistrate, he went homewards to the
farm.

The following day happened to be Sunday. Barbaik rose earlier than usual,
and went to the stables, which were under her sole charge; but to her great
surprise she found them already freshly littered, the racks garnished, the
cows milked, and the cream churned. Now, as she recollected having said
before Jégu, on the preceding night, that she wanted to be ready in good
time to go to the feast of St. Nicholas, she very naturally concluded that it
was he who had done all this for her, and she told him she was much
obliged. Jégu, however, replied in a peevish tone, that he did not know what
she meant; but this only confirmed Barbaik in her belief.

The same good service was rendered to her now every day. Never had the
stable been so cleanly, nor the cows so fat. Barbaik found her earthen pans
full of milk at morning and at evening, and a pound of fresh-churned butter
decked with blackberry-leaves. So in a few weeks’ time she got into the
habit of never rising till broad daylight, to prepare breakfast and set about
her household duties.

But even this labour was soon spared her; for one morning, on getting out
of bed, she found the house already swept, the furniture polished, the soup
on the fire, and the bread cut into the bowls; so that she had nothing to do
but go to the courtyard, and call the labourers from the fields. She still
thought it was an attention shown to her by Jégu, and she could not help
considering what a very convenient husband he would be for a woman who
liked to have her time to herself.

And it was a fact that Barbaik never uttered a wish before him that was not
immediately fulfilled. If the wind was cold, or if the sun shone hot, and she
was afraid of injuring her complexion by going to the spring, she had only
to say low, “I should like to see my buckets filled, and my tub full of
washed linen.” Then she would go and gossip with a neighbour, and on her
return she would find tub and buckets just as she had desired them to be,
standing on the stone. If she found the rye-dough too hard to bake, or the
oven too long in heating, she had only to say, “I should like to see my six
fifteen-pound loaves all ranged upon the board above the kneading-trough,”
and two hours later the six loaves were there. If she found the market too
far off, and the road too bad, she had only to say over-night, “Why am I not
already come back from Morlaix, with my milk-can empty, my tub of butter
sold out, a pound of black cherries in my wooden platter, and six reals6 at
the bottom of my apron-pocket?” and the next morning, when she rose, she
would discover at the foot of her bed the empty milk-can and butter-tub, the
pound of cherries in her wooden plate, and six reals in her apron-pocket.
But the good offices that were rendered to her did not stop here. Did she
wish to make an appointment with another damsel at some fair, to buy a
ribbon in the town, or to find out the hour at which the procession at the
church was to begin, Jégu was always at hand; all she had to do was to
mention her wish before him, and the thing was done.

When things were thus advanced, the Teuz advised the youth to ask Barbaik
now in marriage; and this time she listened to all he had to say. She thought
Jégu very plain and unmannerly; but yet, as a husband, he was just what she
wanted. Jégu would wake for her, work for her, save for her. Jégu would be
the shaft-horse, forced to draw the whole weight of the wagon; and she, the
farmer’s wife, seated on a heap of clover, and driving him with the whip.

After having well considered all this, she answered the young man, as a
well-conducted damsel should, that she would refer the matter to her father.

But she knew beforehand that Jalm Riou would consent; for he had often
said that only Jégu would be fit to manage the farm when he should be no
more.

So the marriage took place the very next month; and it seemed as if the
aged father had but waited until then to go and take his rest in Paradise; for
a very few days after the marriage he died, leaving the house and land to the
young folks.

It was a great responsibility for Jégu; but the Teuz came to his assistance.
He became the ploughboy at the farm, and did more work alone than four
hired labourers. He it was who kept the tools and harness in good order,
who repaired omissions, who pointed out the proper time for sowing or for
mowing. If by chance Jégu had occasion to expedite some work, the Teuz
would go and tell his friends, and all the dwarfs would come with hoe, fork,
or reaping-hook upon their shoulders; if teams were wanted, he would send
the farmer to a town inhabited by some of his tribe, who would be out upon
the common; and Jégu had only to say, “Little men, my good friends, lend
me a pair of oxen, or a couple of horses, with all that is needed for their
work,” and the team would appear that very instant.
Now all the Teuz-à-pouliet asked in payment of these services was a child’s
portion of broth, served up in a milk-measure, every day. So Jégu loved him
like his own son. Barbaik, on the contrary, hated him, and not without
reason; for the very next day after marriage she saw with astonishment she
was no longer assisted as before; and as she was making her complaint to
Jégu, who seemed as if he did not understand her, the dwarf, bursting out in
laughter, confessed that he had been the author of all these good offices, in
order that the damsel might consent to marry Jégu; but that now he had
other things to do, and she must once more undertake the household
management.

Deceived thus in her expectations, the daughter of Jalm Riou treasured in

her heart a furious rage against the dwarf. Every morning, when she had to
rise before the break of day and milk the cows or go to market, and every
evening, when she had to sit up till near midnight churning cream, she
cursed the Teuz who had encouraged her to look forward to a life of ease
and pleasure.

However, one day, being invited to a wedding at Plouezorc’h, and not being
able to take the farm-mare, as it was near foaling, she asked the Teuz-à-
pouliet for a steed; and he sent her to the dwarf village, telling her to
explain exactly what she wanted.

So Barbaik went; and thinking she was doing for the best, she said,

“Teuz, my friends, lend me a black horse, with eyes, mouth, ears, saddle,
and bridle.”

The horse that she had asked for instantly appeared, and she set out on him
towards Plouezorc’h.

But soon she saw that every one was laughing as she went along.

“See, see!” they cried, “the farmer’s wife has sold her horse’s tail.”

Barbaik turned quickly round, and saw indeed that her horse had no tail.
She had forgotten to ask for one; and the malicious dwarf had served her to
the letter.

Disconcerted, she would have hastened on, but the horse refused to mend
his pace; and so she was compelled to endure the jests of passers-by.

The young wife came home at night more furious than ever against the
Teuz-à-pouliet, accusing him of having played her this ill turn on purpose,
and fully resolved to be revenged upon him at the earliest opportunity.

Well, spring drew near, and as this was the time the dwarfs held festival, the
Teuz asked leave of Jégu to extend an invitation to all his friends to come
and spend the night on the barn-floor, where he might give them a supper
and a dance. Jégu was far too much indebted to the dwarf to think of saying
no; and ordered Barbaik to spread over the barn-floor her finest fringed
table-cloths, and to serve up a batch of little butter-cakes, all the morning
and the evening milk, and as many wheaten pancakes as could be turned out
in a good day’s work.

Barbaik made no reply, to her husband’s great surprise.

She made the pancakes, prepared the milk, cooked the buttered cakes, and
at evening-tide she took them all out to the barn; but at the same time she
spread down, all round about the extended table-cloths, just where the
dwarfs were going to place themselves, the ashes she had drawn smoking
from the oven; so that when the Teuz-à-pouliet and his guests came in to
seat themselves, they were every one severely burned, and fled away,
uttering loud cries. They soon came back, however, carrying jugs of water,
and so put out the fire; and then danced round the farm, all singing in an
angry tone,

“Barbe Riou, with dire deceit,

Has roasted our poor little feet:
Adieu! far hence away we go;
On this house be grief and woe!”

And, in fact, they left the country that very morning. Jégu, having lost their
help, soon fell into distress and died; whilst the beautiful Barbaik became a
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookbell.com

Group-3 Rooms Sales and Reservation
100% (1)
Group-3 Rooms Sales and Reservation
26 pages
Principles of Information Security 6th Edition Whitman Solutions Manual 1
99% (78)
Principles of Information Security 6th Edition Whitman Solutions Manual 1
17 pages
Microsoft Azure For Dummies
From Everand
Microsoft Azure For Dummies
Jack A. Hyman
No ratings yet
The UL 4600 Guidebook: What to Include in an Autonomous Vehicle Safety Case
From Everand
The UL 4600 Guidebook: What to Include in an Autonomous Vehicle Safety Case
Philip Koopman
No ratings yet
Issaf0 2 1
No ratings yet
Issaf0 2 1
1,264 pages
Information Systems Security Assessment Framework Issaf Draft 021 Balwant Rathore instant download
No ratings yet
Information Systems Security Assessment Framework Issaf Draft 021 Balwant Rathore instant download
88 pages
About Issaf
No ratings yet
About Issaf
15 pages
Issaf0 2 1A
No ratings yet
Issaf0 2 1A
462 pages
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
AI-Driven Digital Transformation: A Proven Blueprint for Responsible AI Scaling
From Everand
AI-Driven Digital Transformation: A Proven Blueprint for Responsible AI Scaling
Srikanth Victory
No ratings yet
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
From Everand
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
Jay Nans
No ratings yet
Information Security Framework
No ratings yet
Information Security Framework
18 pages
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Risk Control Strategy
No ratings yet
Risk Control Strategy
10 pages
Information Security
No ratings yet
Information Security
6 pages
Implementing Zero Trust Architecture: An Enterprise Guide
From Everand
Implementing Zero Trust Architecture: An Enterprise Guide
Umair Akbar
5/5 (1)
Security and Risk Management - 2021.txt-p
No ratings yet
Security and Risk Management - 2021.txt-p
43 pages
Exam Summary SIO
No ratings yet
Exam Summary SIO
10 pages
Security Frameworks: Robert M. Slade
No ratings yet
Security Frameworks: Robert M. Slade
25 pages
CISA- Domain 5 - Part (1)
No ratings yet
CISA- Domain 5 - Part (1)
105 pages
Part A - List of Risks, Threats, and Vulnerabilities Commonly Found in An IT Infrastructure
No ratings yet
Part A - List of Risks, Threats, and Vulnerabilities Commonly Found in An IT Infrastructure
4 pages
NIST CSF 2.0: Your essential introduction to managing cybersecurity risks
From Everand
NIST CSF 2.0: Your essential introduction to managing cybersecurity risks
Andrew Pattison
No ratings yet
Cs205 Notes
No ratings yet
Cs205 Notes
70 pages
Cybersecurity Frameworks: Dmzcon 09.2023
No ratings yet
Cybersecurity Frameworks: Dmzcon 09.2023
22 pages
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
IT Assurance Framework
No ratings yet
IT Assurance Framework
2 pages
Cyber Security Frameworks
100% (1)
Cyber Security Frameworks
107 pages
Framework for SCADA Cybersecurity
From Everand
Framework for SCADA Cybersecurity
Richard Clark
5/5 (1)
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
From Everand
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
Lewis Heuermann
No ratings yet
CISSP Certification Exam Study Guide: (Cerified Information Systems Security Professional)
From Everand
CISSP Certification Exam Study Guide: (Cerified Information Systems Security Professional)
Kumud Kumar
No ratings yet
An Information Systems Security Framework: Ais Electronic Library (Aisel)
No ratings yet
An Information Systems Security Framework: Ais Electronic Library (Aisel)
12 pages
PentestLastExam
No ratings yet
PentestLastExam
87 pages
Information Security Text and Cases 2.0 (Gurpreet Dhillon) (z-lib.org)
No ratings yet
Information Security Text and Cases 2.0 (Gurpreet Dhillon) (z-lib.org)
253 pages
Documento Web ISF - The 2018 Standard - Executive Summary
100% (1)
Documento Web ISF - The 2018 Standard - Executive Summary
3 pages
Florendo IAS2 Final Copy (1)
No ratings yet
Florendo IAS2 Final Copy (1)
5 pages
Information Security Standards, Certifications, and Laws
No ratings yet
Information Security Standards, Certifications, and Laws
7 pages
Lect 6 Security of Network, Systems, Applications
No ratings yet
Lect 6 Security of Network, Systems, Applications
28 pages
Auditing Cloud Computing: A Security and Privacy Guide
From Everand
Auditing Cloud Computing: A Security and Privacy Guide
Ben Halpert
3/5 (2)
Kill Box Mis Ue 2024
No ratings yet
Kill Box Mis Ue 2024
11 pages
Key Tables, Charts and Flows For SSCP - CISSP
No ratings yet
Key Tables, Charts and Flows For SSCP - CISSP
45 pages
CS205 Notes
No ratings yet
CS205 Notes
21 pages
Unit 5
No ratings yet
Unit 5
10 pages
Printer+Friendly+Study+Guide
No ratings yet
Printer+Friendly+Study+Guide
144 pages
Information Systems Security
No ratings yet
Information Systems Security
15 pages
CS205 MIDTERM CURRENT PAPER BY LEARN 2 INSPIRE.docx
No ratings yet
CS205 MIDTERM CURRENT PAPER BY LEARN 2 INSPIRE.docx
16 pages
(ISC)2 Certified Information Systems Security Professional CISSP Realistic Practice Test
From Everand
(ISC)2 Certified Information Systems Security Professional CISSP Realistic Practice Test
CertSquad Professional Trainers
No ratings yet
CISSP Notes-stamped
No ratings yet
CISSP Notes-stamped
45 pages
Principles of Information Security 6th Edition Whitman Solutions Manual 1
100% (49)
Principles of Information Security 6th Edition Whitman Solutions Manual 1
7 pages
APC 2 - Information to Information Security
No ratings yet
APC 2 - Information to Information Security
7 pages
Unlocking Statistics for the Social Sciences
From Everand
Unlocking Statistics for the Social Sciences
Norma Sinclair
No ratings yet
Benchmark - Evaluating Framework Alignment
No ratings yet
Benchmark - Evaluating Framework Alignment
17 pages
Introduction To Security Frameworks and Controls
No ratings yet
Introduction To Security Frameworks and Controls
5 pages
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
No ratings yet
25 Great But Little-Known Cybersecurity Frameworks
No ratings yet
25 Great But Little-Known Cybersecurity Frameworks
2 pages
Cobit Sox Hipaa and Glba Mapping Templates
No ratings yet
Cobit Sox Hipaa and Glba Mapping Templates
5 pages
(ISC)2 Certified Cloud Security Professional CCSP Realistic Practice Tests
From Everand
(ISC)2 Certified Cloud Security Professional CCSP Realistic Practice Tests
CertSquad Professional Trainers
No ratings yet
Assignment Front Sheet Qualification BTEC Level 5 HND Diploma in Computing Unit Number and Title Unit 5: Security Submission Date
No ratings yet
Assignment Front Sheet Qualification BTEC Level 5 HND Diploma in Computing Unit Number and Title Unit 5: Security Submission Date
11 pages
The Official (ISC)2 CCSP CBK Reference
From Everand
The Official (ISC)2 CCSP CBK Reference
Aaron Kraus
No ratings yet
A Five Layer View of Data Center Systems Security Joa Eng 0322
No ratings yet
A Five Layer View of Data Center Systems Security Joa Eng 0322
6 pages
Cloud Computing : Beginners And Intermediate User Guide
From Everand
Cloud Computing : Beginners And Intermediate User Guide
David comer
No ratings yet
Cyber Security Essentials 1 1
No ratings yet
Cyber Security Essentials 1 1
136 pages
T.5.1.3 Worksheet 2
No ratings yet
T.5.1.3 Worksheet 2
3 pages
Create Wireless Access Point - The Raspberry Pi Guide
No ratings yet
Create Wireless Access Point - The Raspberry Pi Guide
7 pages
A Lightweight Authentication and Key Agreement Protocol For Secure Fog-to-Fog Collaborative Communication
No ratings yet
A Lightweight Authentication and Key Agreement Protocol For Secure Fog-to-Fog Collaborative Communication
6 pages
Fine CMD
No ratings yet
Fine CMD
1 page
Marker Guide - RM Assessor
No ratings yet
Marker Guide - RM Assessor
109 pages
Writing Negative Messages
No ratings yet
Writing Negative Messages
47 pages
Computer Operator and Programming Assistant P (2)
No ratings yet
Computer Operator and Programming Assistant P (2)
9 pages
BreakingOrbit Edited
No ratings yet
BreakingOrbit Edited
179 pages
W 10 SKR 3200
No ratings yet
W 10 SKR 3200
47 pages
Nasim - Personal Portfolio WordPress Theme by HasnaaDesign - The
No ratings yet
Nasim - Personal Portfolio WordPress Theme by HasnaaDesign - The
3 pages
3G611R+ User Guide
No ratings yet
3G611R+ User Guide
107 pages
BIGO Privacy Policy
No ratings yet
BIGO Privacy Policy
16 pages
HelpNDoc User Manual
No ratings yet
HelpNDoc User Manual
283 pages
Introduction To Data Mining
No ratings yet
Introduction To Data Mining
3 pages
Men 4210 Qig
No ratings yet
Men 4210 Qig
13 pages
SAML2.0 How To Disable SAML 2.0 Auth For Aprticular ICF Service in AS ABAP
No ratings yet
SAML2.0 How To Disable SAML 2.0 Auth For Aprticular ICF Service in AS ABAP
3 pages
Bill of Entry (Goods Declaration Gd-1) - Google Search
No ratings yet
Bill of Entry (Goods Declaration Gd-1) - Google Search
1 page
Listening and Speaking UAS
No ratings yet
Listening and Speaking UAS
5 pages
To YouTube
No ratings yet
To YouTube
6 pages
RPG 2342
No ratings yet
RPG 2342
3 pages
Ejemplos de Ensayos de Análisis Visual
100% (1)
Ejemplos de Ensayos de Análisis Visual
4 pages
New function eISDP Partner Service Request 新功能 eISDP渠道交付问题单
No ratings yet
New function eISDP Partner Service Request 新功能 eISDP渠道交付问题单
11 pages
Salt Lab Guide
No ratings yet
Salt Lab Guide
5 pages
Information Revolution
No ratings yet
Information Revolution
16 pages
Penetration Testing Interview Questions: Share
No ratings yet
Penetration Testing Interview Questions: Share
2 pages
Browser L2
No ratings yet
Browser L2
12 pages
EndevorSCM Scenarios ENU
No ratings yet
EndevorSCM Scenarios ENU
260 pages
Class: BESE-10AB: Department of Computing
No ratings yet
Class: BESE-10AB: Department of Computing
8 pages
CySA+ Module 1.3 1
No ratings yet
CySA+ Module 1.3 1
33 pages