What Is a Penetration Test? A penetration test is a subclass of ethical hacking; it comprises a set of methods and procedures that aim at testing/protecting an organization’s security. The penetration tests prove helpful in finding vulnerabilities in an organization and check whether an attacker will be able to exploit them to gain unauthorized access to an asset.
Vulnerability Assessments versus Penetration Test Oftentimes, a vulnerability assessment is confused with a penetration test; however, these terms have completely different meanings. In a vulnerability assessment, our goal is to figure out all the vulnerabilities in an asset and document them accordingly. In a penetration test, however, we need to simulate as an attacker to see if we are actually able to exploit a vulnerability and document the vulnerabilities that were exploited and the ones that turned out to be false-positive.
Preengagement Before you start doing a penetration test, there is whole lot of things you need to discuss with clients. This is the phase where both the customer and a representative from your company would sit down and discuss about the legal requirements and the “rules of engagement.”
4 ◾ Ethical Hacking and Penetration Testing Guide
Rules of Engagement Every penetration test you do would comprise of a rules of engagement, which basically defines how a penetration test would be laid out, what methodology would be used, the start and end dates, the milestones, the goals of the penetration test, the liabilities and responsibilities, etc. All of them have to be mutually agreed upon by both the customer and the representative before the penetration test is started. Following are important requirements that are present in almost every ROE:
◾ A proper “permission to hack” and a “nondisclosure” agreement should be signed by both the parties.
◾ The scope of the engagement and what part of the organization must be tested.
◾ The project duration including both the start and the end date.
◾ The methodology to be used for conducting a penetration test.
◾ The goals of a penetration test.
◾ The allowed and disallowed techniques, whether denial-of-service testing should be performed or not.
◾ The liabilities and responsibilities, which are decided ahead of time. As a penetration tester you might break into something that should not be accessible, causing a denial of service; also, you might access sensitive information such as credit cards. Therefore, the liabilities should be defined prior to the engagement. If you need a more thorough documentation, refer to the “PTES Pre-engagement” document (http://www.pentest-standard.org/index.php/Pre-engagement) How to scope
Metrics for time estimation
Questionaires
Scope creep
Scoping
Specify IP ranges and domains Validate ranges Cloud services ISP Dealing with third parties
Define acceptable social engineering pretexts
Web hosting MSSPs Countries where servers are hosted
Estimating project as a whole Additional support based on hourly rate Questions for business unit managers Questions for systems administrators Questions for help desk General employee questions Specify start and end dates Letter of Amendment (LOA) Tie back to goals section
Milestones Before starting a penetration test, it’s good practice to set up milestones so that your project is delivered as per the dates given in the rules of engagement.
Introduction to Hacking
◾ 5 You can use either a GANTT chart or a website like Basecamp that helps you set up milestones to keep track of your progress. The following is a chart that defines the milestones followed by the date they should be accomplished.
Penetration Testing Methodologies In every penetration test, methodology and the reporting are the most important steps. Let’s first talk about the methodology. There are several different types of penetration testing methodologies that address how a penetration test should be performed. Some of them are discussed in brief next.
Vulnerability Assessments versus Penetration Test Oftentimes, a vulnerability assessment is confused with a penetration test; however, these terms have completely different meanings. In a vulnerability assessment, our goal is to figure out all the vulnerabilities in an asset and document them accordingly. In a penetration test, however, we need to simulate as an attacker to see if we are actually able to exploit a vulnerability and document the vulnerabilities that were exploited and the ones that turned out to be false-positive.
Preengagement Before you start doing a penetration test, there is whole lot of things you need to discuss with clients. This is the phase where both the customer and a representative from your company would sit down and discuss about the legal requirements and the “rules of engagement.”
4 ◾ Ethical Hacking and Penetration Testing Guide
Rules of Engagement Every penetration test you do would comprise of a rules of engagement, which basically defines how a penetration test would be laid out, what methodology would be used, the start and end dates, the milestones, the goals of the penetration test, the liabilities and responsibilities, etc. All of them have to be mutually agreed upon by both the customer and the representative before the penetration test is started. Following are important requirements that are present in almost every ROE:
◾ A proper “permission to hack” and a “nondisclosure” agreement should be signed by both the parties.
◾ The scope of the engagement and what part of the organization must be tested.
◾ The project duration including both the start and the end date.
◾ The methodology to be used for conducting a penetration test.
◾ The goals of a penetration test.
◾ The allowed and disallowed techniques, whether denial-of-service testing should be performed or not.
◾ The liabilities and responsibilities, which are decided ahead of time. As a penetration tester you might break into something that should not be accessible, causing a denial of service; also, you might access sensitive information such as credit cards. Therefore, the liabilities should be defined prior to the engagement. If you need a more thorough documentation, refer to the “PTES Pre-engagement” document (http://www.pentest-standard.org/index.php/Pre-engagement) How to scope
Metrics for time estimation
Questionaires
Scope creep
Scoping
Specify IP ranges and domains Validate ranges Cloud services ISP Dealing with third parties
Define acceptable social engineering pretexts
Web hosting MSSPs Countries where servers are hosted
Estimating project as a whole Additional support based on hourly rate Questions for business unit managers Questions for systems administrators Questions for help desk General employee questions Specify start and end dates Letter of Amendment (LOA) Tie back to goals section
Milestones Before starting a penetration test, it’s good practice to set up milestones so that your project is delivered as per the dates given in the rules of engagement.
Introduction to Hacking
◾ 5 You can use either a GANTT chart or a website like Basecamp that helps you set up milestones to keep track of your progress. The following is a chart that defines the milestones followed by the date they should be accomplished.
Penetration Testing Methodologies In every penetration test, methodology and the reporting are the most important steps. Let’s first talk about the methodology. There are several different types of penetration testing methodologies that address how a penetration test should be performed. Some of them are discussed in brief next.
Comments
Post a Comment