What is Penetration Testing?
A Penetration test or pentest is an ethically-driven attempt to test and analyse the security defences to protect assets and pieces of information. A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.
Penetration Testing Ethics
Recall that a penetration test is an authorised audit of a computer system’s security and defences as agreed by the owners of the systems. Before a penetration test starts, a formal discussion occurs between the penetration tester and the system owner. Various tools, techniques, and systems to be tested are agreed on. This discussion forms the scope of the penetration testing agreement.
Penetration testers will often be faced with potentially morally questionable decisions during a penetration test.
The ROE (Rules of Engagement) is a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections:
- Permission: explicit permission for the engagement to be carried out.
- Test Scope: specific targets to which the engagement should apply. For example, the penetration test may only apply to certain servers or applications but not the entire network.
- Rules: the techniques that are permitted during the engagement. For example, the rules may specifically state that techniques such as phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are okay.
Example of ROE: 250.pdf (egnyte.com)
Penetration Testing Methodologies
The steps a penetration tester takes during an engagement is known as the methodology.
All of industry-standard methodologies have a general theme of the following stages:
- Information gathering: collecting as much publically accessible information about a target/organisation as possible, for example, OSINT and research.
- Enumeration/scanning: discovering applications and services running on the systems.
- Exploitation: leveraging vulnerabilities discovered on a system or application.
- Privilege escalation: expand access to a system. We can escalate horizontally and vertically.
- Post-exploitation: this stage involves a few substages:
- What other hosts can be targeted?
- What additional information can we gather from the host now that we are a privileged user?
- Covering your tracks.
- Reporting.
OSSTMM
The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.
It includes a methodology for:
- Telecommunications (phones, VoIP, etc.)
- Wired Networks
- Wireless communications
OWASP
The Open Web Application Security Project framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.
The foundation regularly writes reports stating the top ten security vulnerabilities a web application may have, the testing approach, and remediation.
NIST Cybersecurity Framework 1.1
The NIST Cybersecurity Framework is a popular framework used to improve an organizations’ cybersecurity standards and manage the risk of cyber threats.
The framework provides guidelines on security controls & benchmarks for success for organisations from critical infrastructure (power plants, etc.) all through to commercial.
NCSC CAF
The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organization’s defences against these.
The framework mainly focuses on and assesses the following topics:
- Data security
- System security
- Identity and access control
- Resiliency
- Monitoring
- Response and recovery planning