Companies are losing a lot of money due to data breaches. According to IBM , the average damage from leaks in 2020 was $ 3.86 million, while half of such incidents were caused by malicious attacks.
Penetration testing helps prevent data leaks, as it includes, among other things, attack simulations. Pentest allows you to identify real vulnerabilities in the IT infrastructure of companies, as well as assess the potential damage from the actions of intruders.
Professional testers adhere to specific methods and standards adopted in the field of information security. There are 5 most famous and authoritative: OSSTMM, NIST SP800-115, OWASP, ISSAF and PTES. One of the methodologies can be used to conduct penetration tests, but experienced auditor companies use several at once. The choice depends on the specific organization, its business and information security processes.
Let’s consider each of the methodologies in more detail.
The Open Source Security Testing Methodology Manual (OSSTMM) is one of the most popular standards developed by the Institute for Security and Open Methodologies (ISECOM).
The OSSTMM provides a detailed test plan, metrics for assessing the security level, and guidelines for finalizing the report. The authors of the standard ensure that a test that is conducted according to the OSSTMM is detailed and comprehensive, and the results are measurable and factual.
The methodology offers five main channels (directions) for testing operational security. Channeling helps to comprehensively assess the level of security of the organization and simplifies the testing process.
Human safety. Safety, which directly depends on the physical or psychological interaction of people.
Physical security. Any material (non-electronic) safety element, the operation of which involves physical or electromechanical impact.
Wireless connection. Security for all wireless communications, from Wi-Fi to infrared sensors.
Telecommunications. Analog or digital means of telephone communication. This mainly concerns telephony, as well as the transmission of service information via telephone lines.
Data transmission networks. Security of internal and external corporate networks, Internet connections and network equipment.
OSSTMM is a universal standard because it can be a basic guideline for penetration testing. With OSSTMM, a pen tester can set up an individual security assessment for each specific company, taking into account its business processes, technological and industry characteristics.
NIST Special Publications 800 Series is an information security standard developed by the National Institute of Standards and Technology. The subsection of the SP 800-115 standard describes technical issues for assessing the level of information security, the procedure for conducting penetration testing, recommendations for analyzing the results and developing measures to mitigate risks. The latest version of the document places great emphasis on mitigating the risks of cyberattacks.
NIST SP800-115 is a technical guide that can be used to validate the information security level of organizations in a variety of industries, including financial and IT companies. This is one of the mandatory pentesting methodologies used by professional auditing companies.
The standard, among other things, describes:
- Survey methods: review of documentation, logs, rules, system configuration, network sniffing, file integrity check.
- Methods for checking targeted vulnerabilities: password cracking, social engineering, pentest.
- Safety assessment: coordination, data processing, analysis and assessment.
- Actions based on testing results: recommendations on risk mitigation, reporting, elimination of vulnerabilities.
The Open Web Application Security Project (OWASP) is an open Internet community that offers the most comprehensive methodology for testing applications, sites and APIs. The OWASP documentation is useful for any IT company interested in building secure software.
OWASP has released several documents and guides.
OWASP Top 10. Document describing common vulnerabilities in web and mobile applications, IoT devices and APIs. Threats are sorted by complexity and degree of business impact.
Testing Guide (OWASP Testing Guide). Contains a set of different web application security testing methodologies, as well as case studies.
Developer Guide (OWASP Developer Guide). Here are some guidelines for writing safe and reliable code.
Code Security Review (OWASP Code Review). The guide can be used by web developers as well as product managers. The document provides effective methods for checking the security of existing code.
One of the main advantages of OWASP is that the methodology describes testing at each stage of the application development life cycle: requirements definition, design, development, implementation and support. In this case, not only the applications themselves are tested, but also technologies, processes, and also people.
The second important advantage: OWASP can be used by both pentesters and web developers.
The OWASP community has also released a cross-platform automated testing tool, OWASP ZAP, which is somewhat similar to the Burp Suite.
The Information System Security Assessment Framework (ISSAF) is developed by the Open Information Systems Security Group (OISSG). The document covers a large number of issues related to information security. The ISSAF provides detailed guidelines for penetration testing. The utilities that can be used to conduct a penetration test are described, instructions on how to use them, and it is also explained in detail what results and under what parameters can be obtained as a result of testing.
ISSAF is considered a fairly complex and detailed methodology that can be adapted to audit the information security of any organization. Each step of ISSAF testing is carefully documented. Also, recommendations are given on the use of specific tools at each stage.
The ISSAF methodology provides a strict order of steps to simulate a hack:
- collection of information;
- network mapping;
- identification of vulnerabilities;
- gaining access and increasing privileges;
- maintaining access;
- compromising remote users and sites;
- hiding traces of penetration.
Penetration Testing Methodologies and Standards (PTES) offers guidelines for basic penetration testing, as well as several advanced testing options, for organizations with increased information security requirements. One of the benefits of PTES is that it provides a detailed description of the goals and expectations of the pentest.
Main stages of PTES:
- Survey (Intelligence Gathering). The organization provides the tester with general information about the targets of the IT infrastructure. The tester obtains additional information from publicly available sources.
- Threat modeling. Priority areas and attack vectors are identified, taking into account business processes and critical IT elements.
- Vulnerability analysis. The tester identifies and assesses the risks associated with vulnerabilities. An analysis of all vulnerabilities that an attacker could exploit is carried out.
- Exploitation of the vulnerability . An attempt to use the vulnerability found in the organization’s security to simulate illegal actions. The tester is trying to gain control over the elements of the information system.
- Compilation of a report. A well-documented result of penetration testing with information on discovered vulnerabilities, criticality to business and recommendations for their elimination.
PTES also provides guidance on how to perform re-testing, or post-production testing. This helps to determine how effectively the identified vulnerabilities were closed.
Experienced testers, even if they use one of the methodologies, strive to cover the full range of possible threats to the organization. At the same time, technical, organizational and legal risks are taken into account: the tester excludes those actions that pose a potential threat to the company. Pentest differs from the actions of a hacker primarily in that the tester fully controls the level of impact on the client’s infrastructure.
It is important for any company to find and fix a vulnerability as soon as possible. The amount of material damage depends on this, among other things, if an attacker manages to take advantage of it. In this sense, an imitation of hacking with the help of a penetration test is like a military exercise: this is how the company maintains a high “combat readiness”.