Penetration Testing Methodologies

The ongoing pandemic of coronavirus disease has forced most companies to adopt a work from home model. The Interpol has issued many reports about the impact of COVID-19 on cybercrime activities worldwide and noticed a significant increase in cyberattacks during the COVID-19 crisis against government organizations, big enterprises, and critical infrastructure.

As a result of the general shutdown enforced worldwide, most organizations were forced to shift their workforce to become home-based. Working remotely opens numerous opportunities for cybercriminals to intensify their attacks by exploiting security vulnerabilities that existed in employees' endpoint devices in addition to attacking online collaboration platforms (e.g., video and audio conferencing services) to steal data, cause disruption, and to spread chaos.

Nearly every day, an APT, ransomware or a data breach attack occupy one of the global news headlines. In such a hostile online world, organizations must identify their vulnerabilities and work to fix them before exploiting malicious actors. Penetration testing is basically the process of identifying security vulnerabilities in computer systems, networks, and other IT infrastructure by attacking them using the same methods and tools employed by cybercriminals. Pen testing aims to secure sensitive information from malicious actors who are continually trying to gain unauthorized access to critical resources. After finishing the pen testing exercise, a report is prepared to the system owner detailing vulnerabilities found and their impact on the overall organization's work.

This article discusses the general penetration testing methodology phases and lists the popular penetration testing methodologies and standards currently in use.

General Penetration testing methodology

A general penetration testing methodology is composed of the following phases:

1. Collecting Data: This is the first phase; the testers will use different techniques to collect data about the target system. Open Source Intelligence (OSINT) techniques are used during this phase to gain information about target IT infrastructure and web presence, such as web server type and version, email system (e.g., Outlook or other open-source systems), the plugin used in target website, VPN service, payment system, web hosting provider and type of content management system (e.g., Word press, Joomla) used to build a target website. This information can be collected from various public sources. BuiltWith is a free service for investigating technical information on any website (see Figure 1).

2. Vulnerability Assessment: In this phase, the penetration tester will identify weak spots and any exploitable vulnerabilities and common misconfigurations and work to exploit them to gain entry into the target system.

3. Actual Exploit: This is where the real attack begins. After analyzing the vulnerability assessment report and interpreting its results carefully. Experienced penetration testers will use a plethora of cutting edge attacking techniques and hacking tools to infiltrate the target system.

4. Analyzing results and report writing: In the final phase, a formal report is prepared that cantinas penetration test detailed exercise results; the report will list all discovered vulnerabilities and describe -in some detail- how we exploit each one. The report will also suggest recommendations to fix each discovered vulnerability and mention the implemented testing methodology and the penetration tester's opinion.

Popular penetration testing methodologies

The results of a penetration testing methodology differ according to the implemented methodology and standards. As cyberattacks' sophistication is on the rise, organizations adopt popular penetration methodologies and attack tools to test their defenses against the new types of cyberattacks.

The Open Source Security Testing Methodology Manual (OSSTMM)

OSSTMM is a methodology for network penetration testing. It is used as a guide to identify security vulnerabilities within a network and can be customized to fit the target organization's technological aspects. OSSTMM is maintained by the Institute for Security and Open Methodologies (ISECOM). Its guide is updated once each six months to remain updated with the latest security testing tactics.

OSSTMM guides how to test the operational security of five domains within an organization, which are:

1. Human Security: This area covers the security of human interactions with technology.

2. Physical security: Physical security is concerned with the tangible element of security. For instance, many significant attacks are initiated by looking in target organization garbage for paper documents containing sensitive information disposed of insecurely (without shredding).

3. Wireless Communications: This includes wireless signals and testing anything that transmits and or receives wirelessly (e.g., 802.11, Bluetooth, Zigbee, etc.).

4. Telecommunications: This includes testing analog and digital communications within an organization for security vulnerabilities.

5. Data Networks: This includes testing the connection between data networks connected via cables and wired network connections.

OWASP (Open Web Application Security Project) OWASP is a popular penetration testing methodology mainly used to discover vulnerabilities in web and mobile applications and discover flaws when developing computer software. By using OWASP, penetration testers can discover and identify vulnerabilities mentioned in OWASP top 10:

1. Injection flaws
2. Broken authentication
3. Sensitive data exposure
4. XML External Entities (XXE)
5. Broken access controls
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known vulnerabilities
10. Insufficient logging & monitoring

By incorporating OWASP into web application development and security testing, an organization can mitigate various vulnerabilities before they get exploited by cybercriminals, in addition to reducing data breach risks and work disruptions.

NIST (National Institute of Standards and Technology)

NIST offers many technical guides to enhance the cybersecurity defense of any organization. USA organizations and their partners must comply with the NIST framework to operate in the USA market. A popular framework for vulnerability testing is called "Technical Guide to Information Security Testing and Assessment."

PTES (Penetration Testing Execution Standard)

PTES recommend a structured approach to penetration testing composed of seven phases as follow:

1. Pre-engagement Interactions
2. Intelligence Gathering
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post Exploitation
7. Reporting

PTES does not offer an official technical guide on how to execute the actual penetration testing exercise. However, their website provides useful technical guidelines that define recommended procedures to follow during a penetration testing process.

Summary

As the sophistication of cyber threats continue to evolve, organizations should adopt the latest penetration testing methodologies to discover vulnerabilities before exploiting attackers. This article sheds light on the concept of penetration testing methodology, discusses its general phases, and mentions the most popular testing methodologies.