A penetration test, commonly called a pentest, is an authorised, simulated cyberattack on a computer system designed to assess its security. This testing method assures the system's defences by attempting to bypass its security controls, using the same tools and techniques that a potential attacker would employ.
Purpose and Scope
This document is an all-inclusive guide for planning, executing, and analysing security tests and assessments. It is specifically designed to assist organisations in the following areas:
Assessing the effectiveness of their security controls.
Identifying vulnerabilities and potential risks.
Ensuring adherence to security compliance requirements.
Types of Security Assessments:
Security testing is categorised into three primary types:
- Vulnerability Scanning: Automated processes that detect known vulnerabilities within systems.
- Penetration Testing: Simulated attacks to identify and exploit vulnerabilities, assessing the system’s defences and response strategies.
- Security Testing and Evaluation (ST&E): A thorough examination that includes both automated and manual testing to assess the effectiveness of security measures implemented within a system.
Phases of Security Testing
Planning: Establishing the test’s scope, objectives, and methodology. This phase includes identifying the systems to be tested, selecting the appropriate tools, and defining the rules of engagement.
Discovery: Gathering intelligence on the target system through techniques like passive reconnaissance, network mapping, and vulnerability identification.
Attack (Penetration): Simulating attacks to exploit discovered vulnerabilities and evaluate the system’s defence mechanisms. This stage aims to determine how far an attacker can penetrate the system.
Reporting: Documenting the findings, including discovered vulnerabilities, their severity, potential impacts, and recommendations for remediation.
Tools and Techniques
The guide covers several tools and techniques that are essential for effective security testing, including:
There are various penetration testing methodologies. Common Penetration Testing Methodologies:
- Open Source Security Testing Methodology Manual (OSSTMM)
Overview: The OSSTMM is a thorough, peer-reviewed framework designed to focus on operational security testing. Its emphasis is on providing a standardised approach to assessing and measuring the security of systems.
Phases:
Preparation: Establish the test's scope, objectives, and engagement rules.
Intelligence Gathering: Collect data about the target environment.
Vulnerability Identification: Identify potential weaknesses or gaps in security.
Exploitation: Attempt to exploit the identified vulnerabilities.
Post-Exploitation: Evaluate the impact of successful exploitation and determine whether access can be maintained.
Reporting: Provide a detailed report with findings and actionable recommendations.
- Open Web Application Security Project (OWASP) Testing Methodology
Overview:
The OWASP methodology is specifically designed for web application security testing. It provides a comprehensive framework for assessing web application vulnerabilities.
Phases:
Information Gathering: Collect essential information about the web application and its environment.
Configuration and Deployment Management Testing: Assess the application's deployment and configuration.
Identity Management Testing: Examine the authentication and session management mechanisms.
Authentication Testing: Evaluate the security of authentication methods.
Authorisation Testing: Ensure that proper access control mechanisms are in place.
Session Management Testing: Review the security and handling of sessions.
Input Validation Testing: Test for common vulnerabilities such as SQL injection, XSS, and others.
Testing for Error Handling: Review the application’s response to errors and exceptions.
Testing for Data Exposure: Ensure that sensitive data is adequately protected from exposure.
Business Logic Testing: Examine the application’s core functionality for logical vulnerabilities.
Client-Side Testing: Assess the security of client-side components, including scripts and cookies.
- NIST Special Publication 800-115
Overview: The National Institute of Standards and Technology (NIST) provides this publication as a technical guide for conducting information security assessments. It offers a structured approach to security testing.
Phases:
Planning: Define the test objectives, scope, and rules of engagement.
Discovery: Conduct reconnaissance and gather information about the target.
Attack: Execute exploitation of identified vulnerabilities.
Reporting: Compile a comprehensive report detailing the findings and security recommendations.
- Penetration Testing Execution Standard (PTES)
Overview:
The PTES provides a structured framework for penetration testing that ensures consistency and thoroughness in the process. It covers all aspects of a penetration test from start to finish.
Phases:
Pre-engagement Interactions: Define the scope, objectives, and logistics of the test.
Intelligence Gathering: Gather as much information as possible about the target system.
Threat Modeling: Identify potential threats and assess risks based on the intelligence gathered.
Vulnerability Analysis: Identify and prioritise vulnerabilities in the target system.
Exploitation: Attempt to exploit vulnerabilities to assess security.
Post-Exploitation: Determine the value of the compromised system and assess whether ongoing access can be maintained.
Reporting: Provide a detailed report on the methodology used, findings, and recommendations for remediation.
- CREST Penetration Testing Methodology
Overview: CREST is an internationally recognised certification body that offers a standardised penetration testing methodology. It ensures the testing is conducted with high standards and professionalism.
Phases:
Information Gathering and Discovery: Similar to other methodologies, this phase involves collecting and analysing data on the target system.
Threat Modeling and Vulnerability Identification: Assess potential threats and identify any security weaknesses.
Exploitation: Attempt to exploit identified vulnerabilities to evaluate the level of risk.
Post-Exploitation: Determine the impact of the exploit and, if necessary, maintain access for further analysis.
Reporting: Produce a comprehensive report that documents the process, findings, and provides actionable recommendations.
Rules of Engagement (RoE)
To maintain ethical, legal, and controlled security testing, NIST 800-115 advises setting clear Rules of Engagement (RoE). These should outline:
The defined boundaries for the testing.
Personnel authorised to conduct the tests.
Procedures for notifying stakeholders in case of unforeseen issues.
Reporting and Risk Mitigation
The final report should be clear, comprehensive, and accessible to both technical and non-technical stakeholders. It should prioritise vulnerabilities based on their risk level and provide actionable recommendations to address and mitigate the identified risks.
Post-Testing Actions
After completing security testing, organisations are encouraged to:
Remediate identified vulnerabilities.
Reevaluate and strengthen security controls as necessary.
Leverage the results to enhance ongoing security efforts and inform future training initiatives.