1PENETRATION TESTING Table of Contents Introduction................................................................................................................................2 Approaches to perform pen testing............................................................................................2 Methodologies of Penetration Testing.......................................................................................3 Comparison of the approaches...............................................................................................5 Procedures for IT Security Penetration Testing.........................................................................6 Statutory and ethical issue of penetration testing.......................................................................8 Decision Tree.............................................................................................................................9 Conclusion..................................................................................................................................9 References................................................................................................................................11
2PENETRATION TESTING Introduction Penetration testing or pen testing refers to the practice of checking a computer system, Web application or a network so that the security vulnerabilities in these can be found out. Software applications can be made use to automate penetration testing or this can also be performed manually. Whether by software applications or manually, this requires gathering information related to the target before it is done. The probable entry points and the attempts of breaking in to the system and all such aspects that relates to the security of the system is to be considered in this(Baloch 2017). The primary objective of pen testing is identifying security vulnerabilities. This is made use of to check organization’s security policy, whether it compliances to various requirements, the security awareness of employees as well as the firm’s ability to both indentify and provide response to security related incidents. In this paper, the various methodologies of penetration testing will be discussed and a comparison been made between them. The statutory as well as legal issues related to pen testing will be discussed as well. Standard Operating Procedure (SOP) and a decision making tree will also be designed considering a pen testing against a specific target system. Approaches to perform pen testing The below mentioned approaches can be made use of to conduct penetration testing: 1. Manual Pen Testing-Manual penetration testing involves a specific standard approach comprising of different activities that needs to be carried out in a certain sequence (Sandhya, Purkayastha, Joshua and Deep 2017). The sequence is as given below: a) Planning for conducting the penetration testing b) Reconnaissance
3PENETRATION TESTING c) Vulnerability Analysis d) Exploitation i) External Attacks ii) Internal Attacks e) Scenario post exploitation d) Reporting 2. Automated Penetration Testing-Automated Pen Testing is conducted by making use of different performance testing tools (Stiawan et al. 2016). The tools that are used in most of the cases are given below: a) Nmap b) Nessus c) Metaspoilt d) Wireshark e) Veracode 3) Manual Pen Testing along with Automated Pen Testing-The different benefits of manual and automated testing ensure that the pen testing being conducted is effective, properly monitored as well as precise (Falagush, McDowell, Yu and de Bono, 2015). Methodologies of Penetration Testing Depending on the different testing approaches, penetration testing can be categorized into the following:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4PENETRATION TESTING 1. White Box Pen Testing- In this particular approach the tester has full access along with in- depth knowledge of system that requires checking for security vulnerabilities. This approach is considered to be effective in case of extensive penetration testing. In this approach, internal perspective of the whole system along with programming skills is made use of to develop the various test cases(Nagpal, Singh, Chauhan and Panesar 2015). The tester in this case chooses various inputs to exercise different paths through the code thus determining the desired outputs. This approach can be said to be testing the system or the application at the source code level. 2. Black Box Pen Testing- In this approach the tester is provided with high-level information and he is totally unaware of the network. This approach checks the functionality of a system or application without trying to peer into the internal structure of workings. This method of pen testing is generally applicable to every stage of software testing that includes unit, system, acceptance and integration(Al Shebli and Beheshti 2018). In this approach, specific knowledge related to the application’s code, knowledge of programming as well as internal structure is not needed. The tester here is well aware of what is expected from the software but is unaware of the way it is done. In this approach, the test cases are built around the various specifications and associated requirements. 3. Gray Box Pen Testing- This is the technique or the approach in which the tester has partial knowledge of the internal workings of the application. The main purpose of this approach is to find out the defects that can be there for improper structure of the codes or improper functioning usage of any application. It can be said to be a combination of white box and black box penetration testing. This approach provides the combined benefits of both white box penetration testing and black box penetration testing(Johns 2015). Gray Box Penetration testing provides ample amount of free time for a developer for fixing the defects. The testing in case is done considering the point of view of the user instead of that of the designer.
5PENETRATION TESTING Comparison of the approaches Sl. No.Gray Box Penetration TestingWhite Box Penetration Testing Black Box Penetration Testing 1.Utilizes both white box as well as black box penetration testing mainly for the purpose of database testing andinternalprogrammingis partially known to the tester(Ansari, 2015). The testers have complete knowledge of the internal programming rationale of the IT product that is to be tested. The testers do not have informationofthe internal workings of the IT product that is to be tested for vulnerability. 2.If the tester has good knowledge of codingthenpenetrationtestingis carriedoutbyvalidatingdata domainsalongwiththeintrinsic system boundaries of the software. Itiscarriedoutafter verifying the boundaries ofthesystemandthe datadomainsthatare inherent to the software asthetesterhas adequate knowledge of the internal coding. Thisincludestrial techniquesalongwith errorguessingmethod as the tester in this case doesnotrequirethe knowledgeofinternal coding of the software. 3.Testing space of the input tables is smaller as compared to that of Black Box and White Box Testing. Testingspaceofthe inputtablesislesser than that of Black Box testing. Testingspaceofthe input tables is huge and is the largest among all the testing spaces. 4.Notrecommendedfortestingof algorithm. Appropriatefortesting of algorithm. Notrecommendedfor testing of algorithm. 5.Takeslesstimethanwhitebox penetration testing. Most time consuming.Least time consuming. 6.Testingisbasedonhigh-level databasediagramsalongwith Codingservesasthe baseofthisandis Externalexpectations arethebasisofthis
6PENETRATION TESTING dataflow diagrams.responsibleforthe internal working as well. testingastheintrinsic behavior of the software is not known. Procedures for IT Security Penetration Testing Security penetration testing refers to the activity in which there is attest team that attempts to circumvent the different security processes thus controlling the computer system. The test team poses as internal or external unauthorized intruder thus obtaining access, extracting information as well as demonstrating the capability to manipulate the specific computer system that has been targeted(Zhang, Arroyo, Ciantia, Gens and Butlanska 2019). The sensitive nature of penetration testing requires that some specific rules be applied. The procedures for penetration testing of the systems at particular sites or centers are as follows: 1. Planning for the penetration test- As the penetration testing is to done at a site therefore it is required hat a Site Point of Contact or POC along with Pan Test POC is identified. This identified POC is vested with the job of coordination of the various activities that are related to pen testing. The management is to be notified of the activities and the schedule so that the activities can take place on time(Hussain, Hasan and Chughtai 2017). The Penetration Testing POC acts as the primary interface with that of Site POC for different activities of pen testing. It is the duty of the Pen Tester to develop all the required documentation as well as the plan related to penetration testing. The Pen Tester is vested with the responsibility to assign different role to his team members so that the work is carried out properly. 2. Analysis of the vulnerabilities- This includes many important activities such as: a) Identifying the possible targets.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
7PENETRATION TESTING b) Identifying all the potential vulnerabilities c) Performing the various vulnerability scans d) Buffering overflows e) IP spoofing f) Social engineering g) Manipulating the touting tables h) Performing certain manual tests 3. Penetration testing- For the sites being tested for vulnerabilities, the Pen Tester requires to perform certain tasks: i. Introductory Briefing ii. Technical along with Administrative Face-to-Face Meeting iii. Executive In-Briefing iv. Reviewing the various IT Security Policies, Guidelines and Standards v. Preparing for outside Pen Testing vi. Inside penetration testing vii. Documentation of the Security Programs in relation to IT, Firewalls along with other different security tools of IT. viii. Analysis of different data and associated findings ix. Exit the briefing
8PENETRATION TESTING The last step or the exit briefing step includes summarizing the findings, presenting final reports,discussingoutsiderpentestingresults,discussinginsiderpentestingresults, discussing the evaluation of the site’s IT security program as well as the management structure(Prasad 2016). This also includes discussing on the overall recommendations that relate to the site or the system that has been penetration tested. Statutory and ethical issue of penetration testing The Open Source Security Testing Methodology Manual (OSSTMM) lays down certain rules of engagement that are mainly a set of different rules developed to restrict unethical pen testing. The rules are laid down so as to protect the client as well as to preserve this security profession. The different objectives are met by checking on conflicts of interest, various provisions of false positives as well as false negatives. The legally binding testers should comply with the ethical obligations that they sign in the contract. The first and foremost thing is that the client’s information should be protected and the security profession preserved(Bertoglio and Zorzo 2017). Penetration testing should be performed on a system or a site only if the client provides written permission for the same. There should be contractual arrangements so that the work of the penetration testers can be differentiated from that of the hackers. The penetration testers should not just rely upon certain automated tools and the tools being used should be tested prior to their application in the pen testing at site. The penetration tester has no rights to use the data of a past client to promote the services. It is the responsibility of the tester to send in notifications to the client whenever vulnerability is identified. This notification should consist of the different measures that can be taken to rectify the flaws thus minimizing danger to human life(Dawson and McDonald 2016). The penetration tests that fail to identify vulnerabilities should not be tagged as free service as this represents false positives and the testing practice is misinterpreted. The tester needs to work on the non-disclosure as well as limited liability clauses in the contract that is being signed by
9PENETRATION TESTING him. The main issue in penetration testing is that the client’s system information are going to the tester and if misused can lead to serious consequences. Thus it is required that the tester chosen is certified and the activities being done during penetration testing is kept a watch on. Decision Tree Figure 1: Decision tree for the penetration testing to be carried out on the target system Conclusion Thus from the discussions made above it can be concluded that, there are different approaches of pen testing and it needs to be chosen by as per the requirement of the client or the system that is to be pen tested. The Standard Operating Procedures suggest that there is a certain way or a step wise process that should be followed by a pen tester when conducting
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10PENETRATION TESTING this test. The most important part is the ethical issues related to penetration testing. It can be said that as this has a lot to do with the client’s system and data it can have serious consequences if misused by the pen tester. The penetration tester should be made to sign proper contracts to differentiate his work from that of the hacker. Thus, it can be said that penetration is important to find out vulnerabilities of a system but at the same time it is important to check that the data is safe with the tester being hired for this purpose keeping in mind that anything can be done by using the data.
11PENETRATION TESTING References Al Shebli, H.M.Z. and Beheshti, B.D., 2018, May. A study on penetration testing process and tools.In2018IEEELongIslandSystems,ApplicationsandTechnologyConference (LISAT)(pp. 1-7). IEEE. Ansari, J.A., 2015.Web penetration testing with Kali Linux. Packt Publishing Ltd. Baloch, R., 2017.Ethical hacking and penetration testing guide. CRC Press. Bertoglio, D.D. and Zorzo, A.F., 2017. Overview and open issues on penetration test.Journal of the Brazilian Computer Society,23(1), p.2. Dawson, J. and McDonald, J.T., 2016, April. Improving Penetration Testing Methodologies for Security-Based Risk Assessment. In2016 Cybersecurity Symposium (CYBERSEC)(pp. 51-58). IEEE. Falagush, O., McDowell, G.R., Yu, H.S. and de Bono, J.P., 2015. Discrete element modelling and cavity expansion analysis of cone penetration testing.Granular Matter,17(4), pp.483- 495. Hussain, M.Z., Hasan, M.Z. and Chughtai, M.T.A., 2017. Penetration testing in system administration.International Journal of Scientific & Technology Research,6(6), p.3. Johns, A., 2015.Mastering wireless penetration testing for highly secured environments. Packt Publishing Ltd. Nagpal, B., Singh, N., Chauhan, N. and Panesar, A., 2015, May. Tool based implementation ofSQLinjectionforpenetrationtesting.InInternationalConferenceonComputing, Communication & Automation(pp. 746-749). IEEE.
12PENETRATION TESTING Prasad, P., 2016.Mastering Modern Web Penetration Testing. Packt Publishing Ltd. Sandhya, S., Purkayastha, S., Joshua, E. and Deep, A., 2017, January. Assessment of website security by penetration testing using Wireshark. In2017 4th International Conference on Advanced Computing and Communication Systems (ICACCS)(pp. 1-4). IEEE. Stiawan,D.,Idris,M.Y.B.,Abdullah,A.H.,AlQurashi,M.andBudiarto,R.,2016. PenetrationTestingandMitigationofVulnerabilitiesWindowsServer.IJNetwork Security,18(3), pp.501-513. Zhang, N., Arroyo, M., Ciantia, M.O., Gens, A. and Butlanska, J., 2019. Standard penetration testing in a virtual calibration chamber.Computers and Geotechnics,111, pp.277-289.