7COM1068 - Penetration Testing Methodologies Report Analysis
VerifiedAdded on  2023/01/13
|18
|3974
|91
Report
AI Summary
This report explores penetration testing methodologies, beginning with an introduction to computer hacking and its relationship to criminal activity. It differentiates between computer crime and traditional crime, discussing examples of each. The report then delves into the concept of hacking, its various forms, and the skills required. A critical discussion follows, emphasizing that hacking is a skill that can be used for both beneficial and malicious purposes. The report then transitions to penetration testing methodologies, discussing frameworks like ISSAF, OSSTMM, and OWASP. It explains the role of Standard Operating Procedures (SOPs) in penetration testing, outlining steps for intelligence gathering, vulnerability detection, and target exploitation. The report highlights the importance of penetration testing in identifying and mitigating system vulnerabilities, ultimately aiming to improve information security protocols and reduce the risk of cyber attacks.
Running head: PENETRATION TESTING METHODOLOGIES
PENETRATION TESTING METHODOLOGIES
Name of the student:
Name of the University:
Author Note:
PENETRATION TESTING METHODOLOGIES
Name of the student:
Name of the University:
Author Note:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
1PENETRATION TESTING METHODOLOGIES
Table of Contents
Task 1...............................................................................................................................................2
Introduction......................................................................................................................................2
Discussion........................................................................................................................................2
Computer crime...............................................................................................................................2
Criminal activity..............................................................................................................................3
Hacking............................................................................................................................................4
Critical discussion............................................................................................................................4
References........................................................................................................................................5
Task 2...............................................................................................................................................8
Introduction......................................................................................................................................8
Discussion........................................................................................................................................8
Standard Operating Procedure or SOP:.....................................................................................9
Conclusion.....................................................................................................................................11
References......................................................................................................................................13
Appendix........................................................................................................................................16
Table of Contents
Task 1...............................................................................................................................................2
Introduction......................................................................................................................................2
Discussion........................................................................................................................................2
Computer crime...............................................................................................................................2
Criminal activity..............................................................................................................................3
Hacking............................................................................................................................................4
Critical discussion............................................................................................................................4
References........................................................................................................................................5
Task 2...............................................................................................................................................8
Introduction......................................................................................................................................8
Discussion........................................................................................................................................8
Standard Operating Procedure or SOP:.....................................................................................9
Conclusion.....................................................................................................................................11
References......................................................................................................................................13
Appendix........................................................................................................................................16
2PENETRATION TESTING METHODOLOGIES
Task 1
Introduction
Computer hacking is modifying or doing practice of system or making changes in the
victim system as per the need. Person who perform this task is known as hacker (Lenca and
Haselager, 2016). Practice of such activity cannot be termed directly as illegal hacking, but
harming someone’s system or targeting industry or organization for the illegal demand such as
making effect to their system, asking for payment, taking personal data are such illegal activity
will be termed as hacking crime (Simmons, 2016). Criminal activity is performing task that
violates government law that will be punished by the court act. This paper will discuss for why
hacking is not criminal activity and for this it is very important to first understand what computer
crime is and what criminal activity is and after that there will be detail about hacking, how it
works what are the scope of hacking and what exact objective comes for hacking. After
understanding all these there will be conclusion that why hacking is not criminal activity.
Discussion
Computer crime
Computer crime is another word for cybercrime, Computer crime is an activity taking or
stealing illegally from someone’s computer or individual company information that maybe
private (Wilding, 2017). The performer of this task is termed as hacker. For some cases, hacker or
group of hackers just corrupt the files in the computer or in some cases, it destroys everything
(Zhuo et al, 2017). There are various kind of computer crime and all are having different needs,
demand, objective and different way of performing cybercrime (Söderberg and Delfanti, 2015).
Task 1
Introduction
Computer hacking is modifying or doing practice of system or making changes in the
victim system as per the need. Person who perform this task is known as hacker (Lenca and
Haselager, 2016). Practice of such activity cannot be termed directly as illegal hacking, but
harming someone’s system or targeting industry or organization for the illegal demand such as
making effect to their system, asking for payment, taking personal data are such illegal activity
will be termed as hacking crime (Simmons, 2016). Criminal activity is performing task that
violates government law that will be punished by the court act. This paper will discuss for why
hacking is not criminal activity and for this it is very important to first understand what computer
crime is and what criminal activity is and after that there will be detail about hacking, how it
works what are the scope of hacking and what exact objective comes for hacking. After
understanding all these there will be conclusion that why hacking is not criminal activity.
Discussion
Computer crime
Computer crime is another word for cybercrime, Computer crime is an activity taking or
stealing illegally from someone’s computer or individual company information that maybe
private (Wilding, 2017). The performer of this task is termed as hacker. For some cases, hacker or
group of hackers just corrupt the files in the computer or in some cases, it destroys everything
(Zhuo et al, 2017). There are various kind of computer crime and all are having different needs,
demand, objective and different way of performing cybercrime (Söderberg and Delfanti, 2015).
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
3PENETRATION TESTING METHODOLOGIES
Few of examples are violation of copyright, cracking, malware attack, fraud, identity theft and
scam etc.
Traditional crime Computer crime
1. Traditional crime performed under
the presence of person at the place of
crime (van et al, 2017).
2. Traditional crime examples are theft,
forgery, blackmail etc.
3. Traditional crime do not require
computer or internet connection
1. Cybercrime do not require to be
present at the place of crime
2. Cybercrime examples are hacking,
stealing private data etc.
3. Computer crime requires computer
and internet connection.
Criminal activity
Criminal activity is the violation of law and rules by performing activity, which is against
court rules and regulation (Brown, 2015). Different country has different law and rules against
criminal activity. Criminal activity has various different rules for different activity. For computer
crime also comes under criminal activity as it is also against court rules and laws. There are
exceptions as well for some cases such as for mentally disturb person no penalty should impose.
Few of examples are violation of copyright, cracking, malware attack, fraud, identity theft and
scam etc.
Traditional crime Computer crime
1. Traditional crime performed under
the presence of person at the place of
crime (van et al, 2017).
2. Traditional crime examples are theft,
forgery, blackmail etc.
3. Traditional crime do not require
computer or internet connection
1. Cybercrime do not require to be
present at the place of crime
2. Cybercrime examples are hacking,
stealing private data etc.
3. Computer crime requires computer
and internet connection.
Criminal activity
Criminal activity is the violation of law and rules by performing activity, which is against
court rules and regulation (Brown, 2015). Different country has different law and rules against
criminal activity. Criminal activity has various different rules for different activity. For computer
crime also comes under criminal activity as it is also against court rules and laws. There are
exceptions as well for some cases such as for mentally disturb person no penalty should impose.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4PENETRATION TESTING METHODOLOGIES
Mens rea and actus rea are both important for crime that comes to use for law of
countries (Kneer and Bourgeois-Gironde, 2017). Mens rea is the intention of hurting someone that
either of human or animals. Whereas actus rea is proving of criminal act. Both of this two are
very much needed for court rules and regulations (Doleac and Sanders, 2015). These two essential
laws makes court rules balanced for both victim and witness. Criminal activity can be of
cybercrime or the traditional crime both are criminal activity as it has intention of hurting
someone. Some of criminal activities are financial crime, criminal violence, theft etc.
Hacking
Computer hacking is modifying or doing practice of system or making changes in the
victim system as per the need. Person who perform this task is known as hacker. Hacking can be
of learning purpose and may be for some time it has intension of hurting someone or stealing of
data illegally. It is completely unauthorized access of other system. There are various ways of
performing hacking. Cracking password or attacking through network security can both provide
entrance to the system. Insertion of viruses or worm is another dangerous thing using that hacker
can perform task as per the need and type of virus inject in the victim system.
Critical discussion
A cyber-criminal is no less responsible or guilty than a normal criminal. All the above
discussed criminal activities are part of or related to cybercrimes. A cyber-criminal is just like a
normal criminal but the only difference is that unlike a normal criminal he can perform the crime
hidden in his home from a laptop. This type of criminals are even more dangerous as it is
Mens rea and actus rea are both important for crime that comes to use for law of
countries (Kneer and Bourgeois-Gironde, 2017). Mens rea is the intention of hurting someone that
either of human or animals. Whereas actus rea is proving of criminal act. Both of this two are
very much needed for court rules and regulations (Doleac and Sanders, 2015). These two essential
laws makes court rules balanced for both victim and witness. Criminal activity can be of
cybercrime or the traditional crime both are criminal activity as it has intention of hurting
someone. Some of criminal activities are financial crime, criminal violence, theft etc.
Hacking
Computer hacking is modifying or doing practice of system or making changes in the
victim system as per the need. Person who perform this task is known as hacker. Hacking can be
of learning purpose and may be for some time it has intension of hurting someone or stealing of
data illegally. It is completely unauthorized access of other system. There are various ways of
performing hacking. Cracking password or attacking through network security can both provide
entrance to the system. Insertion of viruses or worm is another dangerous thing using that hacker
can perform task as per the need and type of virus inject in the victim system.
Critical discussion
A cyber-criminal is no less responsible or guilty than a normal criminal. All the above
discussed criminal activities are part of or related to cybercrimes. A cyber-criminal is just like a
normal criminal but the only difference is that unlike a normal criminal he can perform the crime
hidden in his home from a laptop. This type of criminals are even more dangerous as it is
5PENETRATION TESTING METHODOLOGIES
extremely difficult to track and arrest them. These kinds of people generally attack high value or
small scale industries to steal their sensitive data and then blackmail them for money.
Due to the vast nature of the internet these types of attacks can happen from anywhere.
The art of hacking is a skill that only select individuals are capable of doing. Hacking requires
very high skills. Hacking can be used both in good ways and bad ways. The major developed
nations recruit hackers in their police academies to prevent and fight against other malicious
hackers. These hackers are people skilled in coding and software intricacies. On the other hand,
there are hackers who are looting banks and other organizations for their own benefits. A person
possessing such skills can use it for either good or bad purposes. It completely depends on the
person and his mindset. So to conclude, hacking is not bad by itself. It is a skill that can be
learned and required high dedication and a lot of knowledge. But how a person uses such a
technology depends on him not on the technology.
References
Acemoglu, D., Malekian, A. and Ozdaglar, A., 2016. Network security and contagion. Journal
of Economic Theory, 166, pp.536-585.
Bastys, I., Piessens, F. and Sabelfeld, A., 2018, October. Prudent design principles for
information flow control. In Proceedings of the 13th Workshop on Programming
Languages and Analysis for Security (pp. 17-23). ACM.
Brown, C.S., 2015. Investigating and prosecuting cyber crime: Forensic dependencies and
barriers to justice. International Journal of Cyber Criminology, 9(1), p.55.
Coeckelbergh, M., 2017. Hacking Technological Practices and the Vulnerability of the Modern
Hero. Foundations of Science, 22(2), pp.357-362.
extremely difficult to track and arrest them. These kinds of people generally attack high value or
small scale industries to steal their sensitive data and then blackmail them for money.
Due to the vast nature of the internet these types of attacks can happen from anywhere.
The art of hacking is a skill that only select individuals are capable of doing. Hacking requires
very high skills. Hacking can be used both in good ways and bad ways. The major developed
nations recruit hackers in their police academies to prevent and fight against other malicious
hackers. These hackers are people skilled in coding and software intricacies. On the other hand,
there are hackers who are looting banks and other organizations for their own benefits. A person
possessing such skills can use it for either good or bad purposes. It completely depends on the
person and his mindset. So to conclude, hacking is not bad by itself. It is a skill that can be
learned and required high dedication and a lot of knowledge. But how a person uses such a
technology depends on him not on the technology.
References
Acemoglu, D., Malekian, A. and Ozdaglar, A., 2016. Network security and contagion. Journal
of Economic Theory, 166, pp.536-585.
Bastys, I., Piessens, F. and Sabelfeld, A., 2018, October. Prudent design principles for
information flow control. In Proceedings of the 13th Workshop on Programming
Languages and Analysis for Security (pp. 17-23). ACM.
Brown, C.S., 2015. Investigating and prosecuting cyber crime: Forensic dependencies and
barriers to justice. International Journal of Cyber Criminology, 9(1), p.55.
Coeckelbergh, M., 2017. Hacking Technological Practices and the Vulnerability of the Modern
Hero. Foundations of Science, 22(2), pp.357-362.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
6PENETRATION TESTING METHODOLOGIES
Colver, A.L., 2018. CRIME AND PUNISHMENT: AN EXAMINATION OF THE EFFECTS
OF SOCIAL PROMINENCE ON PUNISHMENT SEVERITY.
Doleac, J.L. and Sanders, N.J., 2015. Under the cover of darkness: How ambient light influences
criminal activity. Review of Economics and Statistics, 97(5), pp.1093-1103.
Goldfoot, J. and Bamzai, A., 2016. A Trespass Framework for the Crime of Hacking. Geo.
Wash. L. Rev., 84, p.1477.
He, Z., Cai, Z. and Yu, J., 2018. Latent-data privacy preserving with customized data utility for
social network data. IEEE Transactions on Vehicular Technology, 67(1), pp.665-673.
Ienca, M. and Haselager, P., 2016. Hacking the brain: brain–computer interfacing technology
and the ethics of neurosecurity. Ethics and Information Technology, 18(2), pp.117-129.
Jafarnejad, S., Codeca, L., Bronzi, W., Frank, R. and Engel, T., 2015, December. A car hacking
experiment: When connectivity meets vulnerability. In 2015 IEEE Globecom Workshops
(GC Wkshps) (pp. 1-6). IEEE.
Kneer, M. and Bourgeois-Gironde, S., 2017. Mens rea ascription, expertise and outcome effects:
Professional judges surveyed. Cognition, 169, pp.139-146.
Lind, K. and Kääriäinen, J., 2018. Cheating and stealing to finance gambling: analysis of
screening data from a problem gambling self-help program. Journal of Gambling Issues,
(39).
Nakaya, M., Akagi, S. and Tominaga, H., 2016, November. Implementation and Trial Practices
for Hacking Competition CTF as Introductory Educational Experience for Information
Literacy and Security Learning. In The Fifth International Conference on Informatics
and Applications (ICIA2016) (p. 57).
Colver, A.L., 2018. CRIME AND PUNISHMENT: AN EXAMINATION OF THE EFFECTS
OF SOCIAL PROMINENCE ON PUNISHMENT SEVERITY.
Doleac, J.L. and Sanders, N.J., 2015. Under the cover of darkness: How ambient light influences
criminal activity. Review of Economics and Statistics, 97(5), pp.1093-1103.
Goldfoot, J. and Bamzai, A., 2016. A Trespass Framework for the Crime of Hacking. Geo.
Wash. L. Rev., 84, p.1477.
He, Z., Cai, Z. and Yu, J., 2018. Latent-data privacy preserving with customized data utility for
social network data. IEEE Transactions on Vehicular Technology, 67(1), pp.665-673.
Ienca, M. and Haselager, P., 2016. Hacking the brain: brain–computer interfacing technology
and the ethics of neurosecurity. Ethics and Information Technology, 18(2), pp.117-129.
Jafarnejad, S., Codeca, L., Bronzi, W., Frank, R. and Engel, T., 2015, December. A car hacking
experiment: When connectivity meets vulnerability. In 2015 IEEE Globecom Workshops
(GC Wkshps) (pp. 1-6). IEEE.
Kneer, M. and Bourgeois-Gironde, S., 2017. Mens rea ascription, expertise and outcome effects:
Professional judges surveyed. Cognition, 169, pp.139-146.
Lind, K. and Kääriäinen, J., 2018. Cheating and stealing to finance gambling: analysis of
screening data from a problem gambling self-help program. Journal of Gambling Issues,
(39).
Nakaya, M., Akagi, S. and Tominaga, H., 2016, November. Implementation and Trial Practices
for Hacking Competition CTF as Introductory Educational Experience for Information
Literacy and Security Learning. In The Fifth International Conference on Informatics
and Applications (ICIA2016) (p. 57).
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7PENETRATION TESTING METHODOLOGIES
Nasution, M.D.T.P., Rossanty, Y., Siahaan, A.P.U. and Aryza, S., 2018. The Phenomenon of
Cyber-Crime and Fraud Victimization in Online Shop. Int. J. Civ. Eng. Technol, 9(6),
pp.1583-1592.
Simmons, R., 2016. The Failure of the Computer Fraud and Abuse Act: Time to Take an
Administrative Approach to Regulating Computer Crime. Geo. Wash. L. Rev., 84,
p.1703.
Söderberg, J. and Delfanti, A., 2015. Hacking hacked! The life cycles of digital
innovation. Science, Technology, & Human Values, 40(5), pp.793-798.
van de Weijer, S.G. and Leukfeldt, E.R., 2017. Big five personality traits of cybercrime
victims. Cyberpsychology, Behavior, and Social Networking, 20(7), pp.407-412.
Wilding, E., 2017. Information risk and security: preventing and investigating workplace
computer crime. Routledge.
Zhang, D., 2018, October. Big data security and privacy protection. In 8th International
Conference on Management and Computer Science (ICMCS 2018). Atlantis Press.
Zhuo, D., Ghobadi, M., Mahajan, R., Förster, K.T., Krishnamurthy, A. and Anderson, T., 2017,
August. Understanding and mitigating packet corruption in data center networks.
In Proceedings of the Conference of the ACM Special Interest Group on Data
Communication (pp. 362-375). ACM.
Nasution, M.D.T.P., Rossanty, Y., Siahaan, A.P.U. and Aryza, S., 2018. The Phenomenon of
Cyber-Crime and Fraud Victimization in Online Shop. Int. J. Civ. Eng. Technol, 9(6),
pp.1583-1592.
Simmons, R., 2016. The Failure of the Computer Fraud and Abuse Act: Time to Take an
Administrative Approach to Regulating Computer Crime. Geo. Wash. L. Rev., 84,
p.1703.
Söderberg, J. and Delfanti, A., 2015. Hacking hacked! The life cycles of digital
innovation. Science, Technology, & Human Values, 40(5), pp.793-798.
van de Weijer, S.G. and Leukfeldt, E.R., 2017. Big five personality traits of cybercrime
victims. Cyberpsychology, Behavior, and Social Networking, 20(7), pp.407-412.
Wilding, E., 2017. Information risk and security: preventing and investigating workplace
computer crime. Routledge.
Zhang, D., 2018, October. Big data security and privacy protection. In 8th International
Conference on Management and Computer Science (ICMCS 2018). Atlantis Press.
Zhuo, D., Ghobadi, M., Mahajan, R., Förster, K.T., Krishnamurthy, A. and Anderson, T., 2017,
August. Understanding and mitigating packet corruption in data center networks.
In Proceedings of the Conference of the ACM Special Interest Group on Data
Communication (pp. 362-375). ACM.
8PENETRATION TESTING METHODOLOGIES
Task 2
Introduction
There has been a massive increase in the amount of cyber-attacks and threats for businesses and
governments in the last 10 years. This has led to the development of many technologies like web
security measures, antiviruses and improved security protocols. There have also been a rise in the
number of cyber security industries and government agencies. Penetration testing is one such
cyber security measure. Penetration helps to test the capability of information security protocols
and precautionary measures from the point of view of the hacker. Penetration testing tries to
detect the vulnerabilities and weaknesses of the target and seal those gaps before a real world
exploit attack can take place. The most important part of penetration testing is to identify a solid
framework or methodology according to the need of the target website or server. The
infrastructure assessment plays a critical role in it. This helps us in testing the effectiveness of
the implemented security measures and protocols. It often acts as a mitigation strategy and helps
reduce the risk of a future attack. A properly designed and executed penetration test can be very
useful to detect flaws in the system and improve them.
Discussion
There are many penetration testing methodologies and frameworks that are used worldwide to
develop security measures. The methodologies are:
Task 2
Introduction
There has been a massive increase in the amount of cyber-attacks and threats for businesses and
governments in the last 10 years. This has led to the development of many technologies like web
security measures, antiviruses and improved security protocols. There have also been a rise in the
number of cyber security industries and government agencies. Penetration testing is one such
cyber security measure. Penetration helps to test the capability of information security protocols
and precautionary measures from the point of view of the hacker. Penetration testing tries to
detect the vulnerabilities and weaknesses of the target and seal those gaps before a real world
exploit attack can take place. The most important part of penetration testing is to identify a solid
framework or methodology according to the need of the target website or server. The
infrastructure assessment plays a critical role in it. This helps us in testing the effectiveness of
the implemented security measures and protocols. It often acts as a mitigation strategy and helps
reduce the risk of a future attack. A properly designed and executed penetration test can be very
useful to detect flaws in the system and improve them.
Discussion
There are many penetration testing methodologies and frameworks that are used worldwide to
develop security measures. The methodologies are:
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
9PENETRATION TESTING METHODOLOGIES
1. ISSAF: It is a peer reviewed, open source, penetration testing framework developed by the
Open Information System Security Group. It is a framework which includes multiple
methodologies and covers all possible types of penetrations tests from start till end.
2. OSSTMM: It is another open source method started in 2000 to test security measures.
Developed by Institute for Security and Open Methodologies, it is a framework that incorporates
different modules and channels. Each of the channel here represents a separate domain.
OSSTMM is an auditing methodology and not a complete, comprehensive one like ISSAF.
However it can be used in corporate office to satisfy regulatory requirements.
3. OWASP: It is a nonprofit methodology designed for improving security of softwares. It
contains many different tools, testing methodologies and guides that can be used for cyber
security with an open license. The OWASP testing guide or OTG is used for testing of websites
and web applications. Therefore, unlike the previous two, OTG is mainly used for developing
security measures for web based applications and systems.
4. Penetration Testing Execution Standard: PTES is another testing standard that can be used
to do many different activities like gathering intellifence, vulnerability analysis, threat detection,
post exploitation, exploitation and reporting. PTES can take advantage of other frameworks
depending on the type of attack. For example, for a web based attack PTES can use OWASP or
OTG for conducting penetration testing.
Standard Operating Procedure or SOP:
The Standard Operating Procedure or SOP is a procedure given to workers from
organizations to conduct daily routine operations. Penetration Testing Execution Standard or
PTES can be effectively used to develop a SOP as it includes all the steps like intelligence
1. ISSAF: It is a peer reviewed, open source, penetration testing framework developed by the
Open Information System Security Group. It is a framework which includes multiple
methodologies and covers all possible types of penetrations tests from start till end.
2. OSSTMM: It is another open source method started in 2000 to test security measures.
Developed by Institute for Security and Open Methodologies, it is a framework that incorporates
different modules and channels. Each of the channel here represents a separate domain.
OSSTMM is an auditing methodology and not a complete, comprehensive one like ISSAF.
However it can be used in corporate office to satisfy regulatory requirements.
3. OWASP: It is a nonprofit methodology designed for improving security of softwares. It
contains many different tools, testing methodologies and guides that can be used for cyber
security with an open license. The OWASP testing guide or OTG is used for testing of websites
and web applications. Therefore, unlike the previous two, OTG is mainly used for developing
security measures for web based applications and systems.
4. Penetration Testing Execution Standard: PTES is another testing standard that can be used
to do many different activities like gathering intellifence, vulnerability analysis, threat detection,
post exploitation, exploitation and reporting. PTES can take advantage of other frameworks
depending on the type of attack. For example, for a web based attack PTES can use OWASP or
OTG for conducting penetration testing.
Standard Operating Procedure or SOP:
The Standard Operating Procedure or SOP is a procedure given to workers from
organizations to conduct daily routine operations. Penetration Testing Execution Standard or
PTES can be effectively used to develop a SOP as it includes all the steps like intelligence
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
10PENETRATION TESTING METHODOLOGIES
gathering, vulnerability detection and target exploitation and post exploitation. The SOP can be
developed by the following steps:
1. Gathering intelligence is an important part of Pentest standard. This task can be divided
into three parts: level 1, level 2 and level 3. In level 1 gathering automated tools can be
used to collect data. In level 2 gathering automated tools and manual analysis both can be
used. In level 3, a lot of manual work and analysis is needed along with the use of
automated tools.
2. Target selection: In this phase the intelligence gathered is analyzed and a suitable target
is selected. The target is selected by carefully considering attacking risks, the length of
time needed for carrying out the attack and considering the end result of the test and the
value of things that can be gained from attacking the target.
3. Vulnerability analysis: In this process the target systems flaws are determined and the
applications segregated than can be used by the attacker. The flaws can be in design or
service misconfiguration. The process of finding a flaw can be of varied length depending
on the complexity of the components. The testing should be done so that it matches with
the in depth requirements. The breadth of the testing must be validated to ensure that the
testing scope is met.
4. Exploitation: The main aim of the phase is to completely focus on establishing access to
the target system to complete the exploit. The security measures to bypass can be
Security Guard, Host Based Intrusion Prevention System, Web Application Firewall or
other measures. The success of the exploitation phase completely depends on the proper
execution of the vulnerability analysis phase. A well planned vulnerability phase will
gathering, vulnerability detection and target exploitation and post exploitation. The SOP can be
developed by the following steps:
1. Gathering intelligence is an important part of Pentest standard. This task can be divided
into three parts: level 1, level 2 and level 3. In level 1 gathering automated tools can be
used to collect data. In level 2 gathering automated tools and manual analysis both can be
used. In level 3, a lot of manual work and analysis is needed along with the use of
automated tools.
2. Target selection: In this phase the intelligence gathered is analyzed and a suitable target
is selected. The target is selected by carefully considering attacking risks, the length of
time needed for carrying out the attack and considering the end result of the test and the
value of things that can be gained from attacking the target.
3. Vulnerability analysis: In this process the target systems flaws are determined and the
applications segregated than can be used by the attacker. The flaws can be in design or
service misconfiguration. The process of finding a flaw can be of varied length depending
on the complexity of the components. The testing should be done so that it matches with
the in depth requirements. The breadth of the testing must be validated to ensure that the
testing scope is met.
4. Exploitation: The main aim of the phase is to completely focus on establishing access to
the target system to complete the exploit. The security measures to bypass can be
Security Guard, Host Based Intrusion Prevention System, Web Application Firewall or
other measures. The success of the exploitation phase completely depends on the proper
execution of the vulnerability analysis phase. A well planned vulnerability phase will
11PENETRATION TESTING METHODOLOGIES
result in a precision attack. The main focus of this attack is to identify the high value
assets and find the main entry point to it.
These steps if followed properly can be used to plan and coordinate a proper penetration test
standard. The test will be able to highlight all the flaws and loopholes in the target system and
possible countermeasures should be implemented to fill up those gaps and improve the system.
Thus, a Standard Operating Procedure or SOP can be ideally used by a security organization to
asses and implement security countermeasure by conducting a PTES test.
Conclusion
From the above discussion it has been found that, hacking is not a crime for learning
purpose. This will provide a detail understanding of how exactly a system works and with having
practical observation it becomes more easy to understand the working of computer network and
behind the scene of computer knowledge. This paper has identified about the criminal activity
and hacking at first then after discussing on this two it has been found that hacking is not crime.
It is dependent on hacker intention as well if the hacker is stealing other computer information
without informing admin of the system and stealing private information of that system it is
crime. Criminal activity has no relation with hacking if the hacking is done for learning purpose
only.
The main four penetration testing methodologies include ISSAF, OWASP, OSSTMM
and PTES. Among these frameworks and methodologies only OWASP can be used to develop
security measures for web based applications. The ISSAF is the only complete framework that
includes almost all the possible methodologies for penetration testing out there. It is also called
the most comprehensive PenTest framework. The PTES is another special framework that can be
result in a precision attack. The main focus of this attack is to identify the high value
assets and find the main entry point to it.
These steps if followed properly can be used to plan and coordinate a proper penetration test
standard. The test will be able to highlight all the flaws and loopholes in the target system and
possible countermeasures should be implemented to fill up those gaps and improve the system.
Thus, a Standard Operating Procedure or SOP can be ideally used by a security organization to
asses and implement security countermeasure by conducting a PTES test.
Conclusion
From the above discussion it has been found that, hacking is not a crime for learning
purpose. This will provide a detail understanding of how exactly a system works and with having
practical observation it becomes more easy to understand the working of computer network and
behind the scene of computer knowledge. This paper has identified about the criminal activity
and hacking at first then after discussing on this two it has been found that hacking is not crime.
It is dependent on hacker intention as well if the hacker is stealing other computer information
without informing admin of the system and stealing private information of that system it is
crime. Criminal activity has no relation with hacking if the hacking is done for learning purpose
only.
The main four penetration testing methodologies include ISSAF, OWASP, OSSTMM
and PTES. Among these frameworks and methodologies only OWASP can be used to develop
security measures for web based applications. The ISSAF is the only complete framework that
includes almost all the possible methodologies for penetration testing out there. It is also called
the most comprehensive PenTest framework. The PTES is another special framework that can be
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 18
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.