Penetration test is a complex, cyclical process of both identifying and exploiting vulnerabilities in a system.The ultimate goal is to identify and assess the client organization’s risk of exposure.
Penetration Testing Process Phases
For simplicity, we can segment the penetration testing process into three phases:
-
Pre-engagement
During the Pre-engagement phase, the penetration tester and the client must discuss and agree upon a number of legal and technical matters. Usually, the paperwork in which all of these agreements are formalized (in writing) and signed is called the Rules of Engagement, which includes :
-
goal and scope of the engagement
The goal : Why do you want to execute a Penetration test? Got hacked, for PCI DSS compliance validation,..
The Scope: what is allowed to test, any test beyond it could result in criminal charges. -
timeline and milestones
You will need your client to be aware of what will happen, when and where.
When creating a timetable, it should contain at least the following information:
start date, end date, targets, source IP, criticality of test, step in the process.
GANTT chart, although good-looking and professional, will not convey nearly enough information.
Using Excel sheets is good and flexible.
-
liabilities/responsibilities
During a penetration test, things can certainly go wrong, and you
will need to ensure that most of the things that you can anticipate might go wrong, are dealt with in the Pre-engagement phase.
Possible liabilities could be:
You access sensitive data out-of-scope
You accidentally remove data
You accidentally cause unavailability of services
Other catastrophic event with an impact on the organization
Liabilities should be dealt with by an attorney, your lawyer will try to eliminate any accountability on data loss for example.
Responsibilities are:
Keeping the client informed and up to date during your pentest
Keeping reports and collected data in a safe place
Following a code of ethics
Nondisclosure of any information
So you must take care and follow ethics. For example you will
store the reports of your client encrypted and destroy them after you provide them to the client.
A non-disclosure agreement (NDA) is part of any engagement.
For example any new vulnerability will not be disclosed to any third party.
Also An emergency plan is a good idea for both the pentester and the client.
An emergency plan simply involves the following factors:
• The timetable
• The contact in charge of responding to the emergency plan
• The solutions to apply to the issue.
-
allowed techniques
You may need to avoid intrusive techniques that may lead to DoS or data loss.
The following is a list of the most common intrusive techniques:
• Brute force attacks
• Social Engineering
• Data harvesting of temporary internet files and history
• Phishing attacks -
deliverables and expectations
The deliverables of a penetration test are reports or “the report.”
-
Methodologies
A guides to follow for in the pentesting process.
The Penetration Testing Execution Standard (PTES) is an initiative being undertaken by a community of experienced penetration testers to define how penetration tests should be carried out in real-world situations.
http://www.pentest-standard.org
The OWASP Testing guide is also a good example.
-
Reporting
By hiring a penetration tester or a penetration testing firm, a client is usually interest in:
• Knowing the status of the security of the assets in scope
• Knowing what is vulnerable
• Knowing what needs to be fixed first
Report should be:
Exhaustive, Clear, On-time, Good looking, Adherent to client’s goals
Remember : The reporting phase begins the moment you sign the Rules of Engagement with your client; it is great to have it in the
Executive summary section of the report.
Mind mapping tools and spreadsheets are the best two ways to store information with structure and relationships, like: Freemind tool.