My earlier article How to plan a penetration test was discussed across various forums and at my other Blog CISA Made Easy.
In my earlier article I tried to briefly discuss the important consideration while planning a penetration test. During the discussion the question was asked What are the phases of a Penetration testing.
A penetration tester/IS Auditor after knowing the scope of a Penetration test should try to know the related environment where the Pen Test is to be performed which includes :
- Hardware Environment
- Software environment
- Networking and Telecommunication architecture
- Personnel And Governing management
- Third party Vendors & SLAs
- Nature of Organisation and Organisation's Policies and Procedures.
The whole process of penetration testing can be divided into following phases:
- Information gathering
First a Pen Tester/IS Auditor should enlist the details of information to be gathered. I believe following information could be crucial:
- Network Topography
- Application/Hardware/System software details
- Related Policy, Procedures and Guideline of the organization
How information can be gathered depends on the Assignment. Information generally can be gathered by following two means:
- External Sources
This may include Internet and Media reports. For example details of external IP address can be gathered through internet. WHO is search is a good way of collecting many such reports.
- Internal Sources
This may include annual reports, policy guidelines, instruction manual etc.
Interviewing people can sometimes give desirable results
- Vulnerability Space definition
Vulnerability Space means listing all possible vulnerabilities. It primarily depends on the nature of organization & nature of platform. For example a vulnerability of a financial firm will be different from vulnerability of manufacturing firm and vulnerability of UNIX based platform will be different from vulnerability of Mac based platform.
- Vulnerability Impact analysis
Having listed all possible vulnerabilities will help in deciding their impact. This is similar to risk rating of vulnerability. This will not be practical to do a Pen Test for all the vulnerabilities. It is always ideal to test those vulnerabilities which are of higher risk. Financial consideration may also be useful sometime. If the cost of Pen Test is much more than the actual loss from vulnerability, The Test may not be required. So, the Vulnerability Impact analysis (VIM) is a major step.
- Planning and Method Selection
Above steps will tell us in proper planning and selection of tests like port scanning, Denial of Service attack and others. There are various open source tools available now a day for the test which may be used based on the results of earlier phases.
- Actual attack
Proper planning will make this step smoother.
- Results and Analysis
This is an important step and here the experience and expertise of Pen Tester is required.
- Reporting
Reporting should be done in predefined format acceptable to management of the Organization for which Pen Test is being performed.
- Follow up
I believe this to a very important phase. Nature of follow-up Test is decided by the scope of the Pen Test Engagement Letter. Follow-up testing if done, should be followed by compliance reporting to Top Management.
0 comments:
Post a Comment