Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Penetration Testing Methodologies

Verified

Added on 2023/01/13

AI Summary

This article discusses different penetration testing methodologies and frameworks used for testing security measures. It explains the importance of penetration testing in identifying vulnerabilities and improving system security. The article also highlights the role of infrastructure assessment in penetration testing and how it helps in testing the effectiveness of implemented security measures. Various methodologies like ISSAF, OSSTMM, OWASP, and PTES are mentioned and their purposes are explained.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: PENETRATION TESTING METHODOLOGIES
PENETRATION TESTING METHODOLOGIES
Name of the student:
Name of the University:
Author Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

1PENETRATION TESTING METHODOLOGIES
Table of Contents
Task 1...............................................................................................................................................2
Introduction......................................................................................................................................2
Discussion........................................................................................................................................2
Computer crime...............................................................................................................................2
Criminal activity..............................................................................................................................3
Hacking............................................................................................................................................4
Critical discussion............................................................................................................................4
References........................................................................................................................................5
Task 2...............................................................................................................................................8
Introduction......................................................................................................................................8
Discussion........................................................................................................................................8
Standard Operating Procedure or SOP:.....................................................................................9
Conclusion.....................................................................................................................................11
References......................................................................................................................................13
Appendix........................................................................................................................................16

2PENETRATION TESTING METHODOLOGIES
Task 1
Introduction
Computer hacking is modifying or doing practice of system or making changes in the
victim system as per the need. Person who perform this task is known as hacker (Lenca and
Haselager, 2016). Practice of such activity cannot be termed directly as illegal hacking, but
harming someone’s system or targeting industry or organization for the illegal demand such as
making effect to their system, asking for payment, taking personal data are such illegal activity
will be termed as hacking crime (Simmons, 2016). Criminal activity is performing task that
violates government law that will be punished by the court act. This paper will discuss for why
hacking is not criminal activity and for this it is very important to first understand what computer
crime is and what criminal activity is and after that there will be detail about hacking, how it
works what are the scope of hacking and what exact objective comes for hacking. After
understanding all these there will be conclusion that why hacking is not criminal activity.
Discussion
Computer crime
Computer crime is another word for cybercrime, Computer crime is an activity taking or
stealing illegally from someone’s computer or individual company information that maybe
private (Wilding, 2017). The performer of this task is termed as hacker. For some cases, hacker or
group of hackers just corrupt the files in the computer or in some cases, it destroys everything
(Zhuo et al, 2017). There are various kind of computer crime and all are having different needs,
demand, objective and different way of performing cybercrime (Söderberg and Delfanti, 2015).

3PENETRATION TESTING METHODOLOGIES
Few of examples are violation of copyright, cracking, malware attack, fraud, identity theft and
scam etc.
Traditional crime Computer crime
1. Traditional crime performed under
the presence of person at the place of
crime (van et al, 2017).
2. Traditional crime examples are theft,
forgery, blackmail etc.
3. Traditional crime do not require
computer or internet connection
1. Cybercrime do not require to be
present at the place of crime
2. Cybercrime examples are hacking,
stealing private data etc.
3. Computer crime requires computer
and internet connection.
Criminal activity
Criminal activity is the violation of law and rules by performing activity, which is against
court rules and regulation (Brown, 2015). Different country has different law and rules against
criminal activity. Criminal activity has various different rules for different activity. For computer
crime also comes under criminal activity as it is also against court rules and laws. There are
exceptions as well for some cases such as for mentally disturb person no penalty should impose.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

4PENETRATION TESTING METHODOLOGIES
Mens rea and actus rea are both important for crime that comes to use for law of
countries (Kneer and Bourgeois-Gironde, 2017). Mens rea is the intention of hurting someone that
either of human or animals. Whereas actus rea is proving of criminal act. Both of this two are
very much needed for court rules and regulations (Doleac and Sanders, 2015). These two essential
laws makes court rules balanced for both victim and witness. Criminal activity can be of
cybercrime or the traditional crime both are criminal activity as it has intention of hurting
someone. Some of criminal activities are financial crime, criminal violence, theft etc.
Hacking
Computer hacking is modifying or doing practice of system or making changes in the
victim system as per the need. Person who perform this task is known as hacker. Hacking can be
of learning purpose and may be for some time it has intension of hurting someone or stealing of
data illegally. It is completely unauthorized access of other system. There are various ways of
performing hacking. Cracking password or attacking through network security can both provide
entrance to the system. Insertion of viruses or worm is another dangerous thing using that hacker
can perform task as per the need and type of virus inject in the victim system.
Critical discussion
A cyber-criminal is no less responsible or guilty than a normal criminal. All the above
discussed criminal activities are part of or related to cybercrimes. A cyber-criminal is just like a
normal criminal but the only difference is that unlike a normal criminal he can perform the crime
hidden in his home from a laptop. This type of criminals are even more dangerous as it is

5PENETRATION TESTING METHODOLOGIES
extremely difficult to track and arrest them. These kinds of people generally attack high value or
small scale industries to steal their sensitive data and then blackmail them for money.
Due to the vast nature of the internet these types of attacks can happen from anywhere.
The art of hacking is a skill that only select individuals are capable of doing. Hacking requires
very high skills. Hacking can be used both in good ways and bad ways. The major developed
nations recruit hackers in their police academies to prevent and fight against other malicious
hackers. These hackers are people skilled in coding and software intricacies. On the other hand,
there are hackers who are looting banks and other organizations for their own benefits. A person
possessing such skills can use it for either good or bad purposes. It completely depends on the
person and his mindset. So to conclude, hacking is not bad by itself. It is a skill that can be
learned and required high dedication and a lot of knowledge. But how a person uses such a
technology depends on him not on the technology.
References
Acemoglu, D., Malekian, A. and Ozdaglar, A., 2016. Network security and contagion. Journal
of Economic Theory, 166, pp.536-585.
Bastys, I., Piessens, F. and Sabelfeld, A., 2018, October. Prudent design principles for
information flow control. In Proceedings of the 13th Workshop on Programming
Languages and Analysis for Security (pp. 17-23). ACM.
Brown, C.S., 2015. Investigating and prosecuting cyber crime: Forensic dependencies and
barriers to justice. International Journal of Cyber Criminology, 9(1), p.55.
Coeckelbergh, M., 2017. Hacking Technological Practices and the Vulnerability of the Modern
Hero. Foundations of Science, 22(2), pp.357-362.

6PENETRATION TESTING METHODOLOGIES
Colver, A.L., 2018. CRIME AND PUNISHMENT: AN EXAMINATION OF THE EFFECTS
OF SOCIAL PROMINENCE ON PUNISHMENT SEVERITY.
Doleac, J.L. and Sanders, N.J., 2015. Under the cover of darkness: How ambient light influences
criminal activity. Review of Economics and Statistics, 97(5), pp.1093-1103.
Goldfoot, J. and Bamzai, A., 2016. A Trespass Framework for the Crime of Hacking. Geo.
Wash. L. Rev., 84, p.1477.
He, Z., Cai, Z. and Yu, J., 2018. Latent-data privacy preserving with customized data utility for
social network data. IEEE Transactions on Vehicular Technology, 67(1), pp.665-673.
Ienca, M. and Haselager, P., 2016. Hacking the brain: brain–computer interfacing technology
and the ethics of neurosecurity. Ethics and Information Technology, 18(2), pp.117-129.
Jafarnejad, S., Codeca, L., Bronzi, W., Frank, R. and Engel, T., 2015, December. A car hacking
experiment: When connectivity meets vulnerability. In 2015 IEEE Globecom Workshops
(GC Wkshps) (pp. 1-6). IEEE.
Kneer, M. and Bourgeois-Gironde, S., 2017. Mens rea ascription, expertise and outcome effects:
Professional judges surveyed. Cognition, 169, pp.139-146.
Lind, K. and Kääriäinen, J., 2018. Cheating and stealing to finance gambling: analysis of
screening data from a problem gambling self-help program. Journal of Gambling Issues,
(39).
Nakaya, M., Akagi, S. and Tominaga, H., 2016, November. Implementation and Trial Practices
for Hacking Competition CTF as Introductory Educational Experience for Information
Literacy and Security Learning. In The Fifth International Conference on Informatics
and Applications (ICIA2016) (p. 57).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

7PENETRATION TESTING METHODOLOGIES
Nasution, M.D.T.P., Rossanty, Y., Siahaan, A.P.U. and Aryza, S., 2018. The Phenomenon of
Cyber-Crime and Fraud Victimization in Online Shop. Int. J. Civ. Eng. Technol, 9(6),
pp.1583-1592.
Simmons, R., 2016. The Failure of the Computer Fraud and Abuse Act: Time to Take an
Administrative Approach to Regulating Computer Crime. Geo. Wash. L. Rev., 84,
p.1703.
Söderberg, J. and Delfanti, A., 2015. Hacking hacked! The life cycles of digital
innovation. Science, Technology, & Human Values, 40(5), pp.793-798.
van de Weijer, S.G. and Leukfeldt, E.R., 2017. Big five personality traits of cybercrime
victims. Cyberpsychology, Behavior, and Social Networking, 20(7), pp.407-412.
Wilding, E., 2017. Information risk and security: preventing and investigating workplace
computer crime. Routledge.
Zhang, D., 2018, October. Big data security and privacy protection. In 8th International
Conference on Management and Computer Science (ICMCS 2018). Atlantis Press.
Zhuo, D., Ghobadi, M., Mahajan, R., Förster, K.T., Krishnamurthy, A. and Anderson, T., 2017,
August. Understanding and mitigating packet corruption in data center networks.
In Proceedings of the Conference of the ACM Special Interest Group on Data
Communication (pp. 362-375). ACM.

8PENETRATION TESTING METHODOLOGIES
Task 2
Introduction
There has been a massive increase in the amount of cyber-attacks and threats for businesses and
governments in the last 10 years. This has led to the development of many technologies like web
security measures, antiviruses and improved security protocols. There have also been a rise in the
number of cyber security industries and government agencies. Penetration testing is one such
cyber security measure. Penetration helps to test the capability of information security protocols
and precautionary measures from the point of view of the hacker. Penetration testing tries to
detect the vulnerabilities and weaknesses of the target and seal those gaps before a real world
exploit attack can take place. The most important part of penetration testing is to identify a solid
framework or methodology according to the need of the target website or server. The
infrastructure assessment plays a critical role in it. This helps us in testing the effectiveness of
the implemented security measures and protocols. It often acts as a mitigation strategy and helps
reduce the risk of a future attack. A properly designed and executed penetration test can be very
useful to detect flaws in the system and improve them.
Discussion
There are many penetration testing methodologies and frameworks that are used worldwide to
develop security measures. The methodologies are:

9PENETRATION TESTING METHODOLOGIES
1. ISSAF: It is a peer reviewed, open source, penetration testing framework developed by the
Open Information System Security Group. It is a framework which includes multiple
methodologies and covers all possible types of penetrations tests from start till end.
2. OSSTMM: It is another open source method started in 2000 to test security measures.
Developed by Institute for Security and Open Methodologies, it is a framework that incorporates
different modules and channels. Each of the channel here represents a separate domain.
OSSTMM is an auditing methodology and not a complete, comprehensive one like ISSAF.
However it can be used in corporate office to satisfy regulatory requirements.
3. OWASP: It is a nonprofit methodology designed for improving security of softwares. It
contains many different tools, testing methodologies and guides that can be used for cyber
security with an open license. The OWASP testing guide or OTG is used for testing of websites
and web applications. Therefore, unlike the previous two, OTG is mainly used for developing
security measures for web based applications and systems.
4. Penetration Testing Execution Standard: PTES is another testing standard that can be used
to do many different activities like gathering intellifence, vulnerability analysis, threat detection,
post exploitation, exploitation and reporting. PTES can take advantage of other frameworks
depending on the type of attack. For example, for a web based attack PTES can use OWASP or
OTG for conducting penetration testing.
Standard Operating Procedure or SOP:
The Standard Operating Procedure or SOP is a procedure given to workers from
organizations to conduct daily routine operations. Penetration Testing Execution Standard or
PTES can be effectively used to develop a SOP as it includes all the steps like intelligence

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

10PENETRATION TESTING METHODOLOGIES
gathering, vulnerability detection and target exploitation and post exploitation. The SOP can be
developed by the following steps:
1. Gathering intelligence is an important part of Pentest standard. This task can be divided
into three parts: level 1, level 2 and level 3. In level 1 gathering automated tools can be
used to collect data. In level 2 gathering automated tools and manual analysis both can be
used. In level 3, a lot of manual work and analysis is needed along with the use of
automated tools.
2. Target selection: In this phase the intelligence gathered is analyzed and a suitable target
is selected. The target is selected by carefully considering attacking risks, the length of
time needed for carrying out the attack and considering the end result of the test and the
value of things that can be gained from attacking the target.
3. Vulnerability analysis: In this process the target systems flaws are determined and the
applications segregated than can be used by the attacker. The flaws can be in design or
service misconfiguration. The process of finding a flaw can be of varied length depending
on the complexity of the components. The testing should be done so that it matches with
the in depth requirements. The breadth of the testing must be validated to ensure that the
testing scope is met.
4. Exploitation: The main aim of the phase is to completely focus on establishing access to
the target system to complete the exploit. The security measures to bypass can be
Security Guard, Host Based Intrusion Prevention System, Web Application Firewall or
other measures. The success of the exploitation phase completely depends on the proper
execution of the vulnerability analysis phase. A well planned vulnerability phase will

11PENETRATION TESTING METHODOLOGIES
result in a precision attack. The main focus of this attack is to identify the high value
assets and find the main entry point to it.
These steps if followed properly can be used to plan and coordinate a proper penetration test
standard. The test will be able to highlight all the flaws and loopholes in the target system and
possible countermeasures should be implemented to fill up those gaps and improve the system.
Thus, a Standard Operating Procedure or SOP can be ideally used by a security organization to
asses and implement security countermeasure by conducting a PTES test.
Conclusion
From the above discussion it has been found that, hacking is not a crime for learning
purpose. This will provide a detail understanding of how exactly a system works and with having
practical observation it becomes more easy to understand the working of computer network and
behind the scene of computer knowledge. This paper has identified about the criminal activity
and hacking at first then after discussing on this two it has been found that hacking is not crime.
It is dependent on hacker intention as well if the hacker is stealing other computer information
without informing admin of the system and stealing private information of that system it is
crime. Criminal activity has no relation with hacking if the hacking is done for learning purpose
only.
The main four penetration testing methodologies include ISSAF, OWASP, OSSTMM
and PTES. Among these frameworks and methodologies only OWASP can be used to develop
security measures for web based applications. The ISSAF is the only complete framework that
includes almost all the possible methodologies for penetration testing out there. It is also called
the most comprehensive PenTest framework. The PTES is another special framework that can be

12PENETRATION TESTING METHODOLOGIES
used to incorporate other methodologies and frameworks in it. To conclude, from this report one
can say that PTES can be effectively used to develop the Standard Operating Procedures or SOP
to effectively create the standard process and implement those steps. The steps include gathering
of intelligence, selecting the target, vulnerability analysis and exploitation of the target. The steps
are designed to be followed by trained workers to carry out Penetration testing standards for
organizations. Thus, penetration testing plays a critical role in testing and developing new
security measures. Hacking is also not crime if someone lost his/her device or staying at long
distance and need the data which is stored on that system at that time stealing own data is not a
crime at all and it can be said that hacking cannot be termed as crime.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

13PENETRATION TESTING METHODOLOGIES
References
Almusallam, A., 2018. Penetration Testing for Android Applications with Santoku Linux.
Andreu, A., 2006. Professional pen testing for Web applications. John Wiley & Sons.
Antunes, N. and Vieira, M., 2011, July. Enhancing penetration testing with attack signatures and
interface monitoring for the detection of injection vulnerabilities in web services. In 2011 IEEE
International Conference on Services Computing (pp. 104-111). IEEE.
Bertoglio, D.D. and Zorzo, A.F., 2017. Overview and open issues on penetration test. Journal of
the Brazilian Computer Society, 23(1), p.2.
Chen, C.K., Zhang, Z.K., Lee, S.H. and Shieh, S., 2018. Penetration testing in the iot age.
Computer, 51(4), pp.82-85.
Denis, M., Zena, C. and Hayajneh, T., 2016, April. Penetration testing: Concepts, attack
methods, and defense strategies. In 2016 IEEE Long Island Systems, Applications and
Technology Conference (LISAT) (pp. 1-6). IEEE.
Farah, T., Alam, D., Kabir, M.A. and Bhuiyan, T., 2015, October. SQLi penetration testing of
financial Web applications: Investigation of Bangladesh region. In 2015 World Congress on
Internet Security (WorldCIS) (pp. 146-151). IEEE.
Fonseca, J., Vieira, M. and Madeira, H., 2007, December. Testing and comparing web
vulnerability scanning tools for SQL injection and XSS attacks. In 13th Pacific Rim
international symposium on dependable computing (PRDC 2007) (pp. 365-372). IEEE.
Hoffmann, J., 2015, April. Simulated Penetration Testing: From" Dijkstra" to" Turing Test++".
In Twenty-Fifth International Conference on Automated Planning and Scheduling.

14PENETRATION TESTING METHODOLOGIES
Hunziker, K.J., Pang, J., Pereira, M., Melis, M. and Rassaian, M., 2018. NASA ACC high
energy dynamic impact methodology and outcomes. In 2018 AIAA/ASCE/AHS/ASC Structures,
Structural Dynamics, and Materials Conference (p. 1700).
Kim, P., 2018. The Hacker Playbook 3: Practical Guide To Penetration Testing. Independently
published.
Knowles, W., Baron, A. and McGarr, T., 2016. The simulated security assessment ecosystem:
Does penetration testing need standardisation?. Computers & Security, 62, pp.296-316.
Mehta, S., Raj, G. and Singh, D., 2018. Penetration Testing as a Test Phase in Web Service
Testing a Black Box Pen Testing Approach. In Smart Computing and Informatics (pp. 623-635).
Springer, Singapore.
Najera-Gutierrez, G. and Ansari, J.A., 2018. Web Penetration Testing with Kali Linux: Explore
the methods and tools of ethical hacking with Kali Linux. Packt Publishing Ltd.
Najera-Gutierrez, G. and Ansari, J.A., 2018. Web Penetration Testing with Kali Linux: Explore
the methods and tools of ethical hacking with Kali Linux. Packt Publishing Ltd.
Petukhov, A. and Kozlov, D., 2008. Detecting security vulnerabilities in web applications using
dynamic analysis with penetration testing. Computing Systems Lab, Department of Computer
Science, Moscow State University, pp.1-120.
Shah, S. and Mehtre, B.M., 2015. An overview of vulnerability assessment and penetration
testing techniques. Journal of Computer Virology and Hacking Techniques, 11(1), pp.27-49.
Shinde, P.S. and Ardhapurkar, S.B., 2016, February. Cyber security analysis using vulnerability
assessment and penetration testing. In 2016 World Conference on Futuristic Trends in Research
and Innovation for Social Welfare (Startup Conclave) (pp. 1-5). IEEE.

15PENETRATION TESTING METHODOLOGIES
Singh, A., Jaswal, N., Agarwal, M. and Teixeira, D., 2018. Metasploit Penetration Testing
Cookbook: Evade antiviruses, bypass firewalls, and exploit complex environments with the most
widely used penetration testing framework. Packt Publishing Ltd.
Xynos, K., Sutherland, I., Read, H., Everitt, E. and Blyth, A.J., 2010. Penetration testing and
vulnerability assessments: A professional approach.