This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
2. What is Penetration testing
2Penetration testing reporting and methodology * CEH Materials
3. Why Penetration testing?
3Penetration testing reporting and methodology
Security Audit Vulnerability
Assessment
Penetration
Testing
A security audit just
checks whether the
organization is
following a set of
standard security
policies and
procedures
A vulnerability
assessment focuses
on discovering the
vulnerabilities in the
information system but
provides no indication
if the vulnerabilities can
be exploited or the
amount of damage that
may result from the
successful exploitation
of the vulnerability
Penetration testing is a
methodological
approach to security
assessment that
encompasses the
security audit and
vulnerability
assessment and
demonstrates if the
vulnerabilities in
system can be
successfully exploited
by attackers
4. Audit vs Penetration testing?
4Penetration testing reporting and methodology
Audit Penetration testing
Check set of standards Find vulnerabilities
- Foot printing
- Exploiting
Create report by standards Generate report
5. Types
5Penetration testing reporting and methodology
• Internal, External(1)
• Blackbox, Whitebox(2), Greybox(3)
• Announced, Unannounced(1)
• Passive, Active scans
• Automated, Manual(1)
1. CEH course modules
2. A Penetration Testing Model. Federal Office for Information Security (BSI), Bonn. P14
3. Using w3af to achieve automated penetration testing by live DVD/live USB. P1-2
6. Methodologies
6Penetration testing reporting and methodology
• Planning, Discovery, Exploiting, Reporting*
• Preparation, Anonymity, Foot Printing, Analysis, Exploiting, Reporting,
Advisory**
• Preparation, Reconnaissance, Analysis of Information / Risks, Active
Intrusion Attempts, Final Analysis / Clean-Up***
• Planning, Discovery, Attack, Reporting****
* A. Bechtsoudis, N. S. Aiming at Higher Network Security Through Extensive Penetration Tests IEEE Latin America Transactions, 2012,
10, 1752 - 1756
** Parvin Ami, A. H. Seven Phrase Penetration Testing Model International Journal of Computer Applications, 2012, 59, 16-20
***Study A Penetration Testing Model Federal Office for Information Security (BSI), 2003
**** Scarfone, K. A.; Souppaya, M. P.; Cody, A. & Orebaugh, A. D. SP 800-115. Technical Guide to Information Security Testing and
Assessment National Institute of Standards and Technology, National Institute of Standards & Technology, 2008
7. Used Methodology
7Penetration testing reporting and methodology
Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means
of access.*
---
* SANS Institute, Penetration Testing: Assessing Your Overall Security Before Attackers Do
8. The Problem
8Penetration testing reporting and methodology
×
Format
×
Compare
×
Systematize
There are not a
standard format
for penetration
testing
There are not a
system for comparing if
you have 2 different
reports.
There are not a
method to help us to
do reports and
generating one
9. Report format - Styles
American Psychological Association (APA) Style[1]
Page design, Document Control, List of Report Content, Executive
Summary, Methodology, Detail findings, References, Appendices,
Glossary [2]
A Cover Sheet, The Executive Summary, Summary of Vulnerabilities,
Test Team Details, List of the Tools Used, A copy of the original
scope of work, The main body of the report, Final delivery [3]
[1] Thomas Wilhelm. Professional Penetration Testing. Syngress, 2009.
[2] Mansour A Alharbi. Writing a penetration testing report. SANS Institute, April 2010.
[3] Mike Sheward. The art of writing penetration test reports. January 2012.
Penetration testing reporting and methodology
10. Report format – Our Idea
– For top management
• Title page
• Executive Summary
– For technical workers
• Title page
• Executive Summary
• Test Team Details
• Summary of Vulnerabilities
• References,
• Glossary
Penetration testing reporting and methodology
11. Idea
11Penetration testing reporting and methodology
Reporting
- Generate Report
- Compare Reports
Exploiting
- Send attack result
Foot printing
- Upload scan result
- Send bug
- View results
Planning
- Penetration tests
01
02
03
04
12. Site for Penetration testing
12
Planning
Foot printing
Exploiting
www.penteston.com
Penetration testing reporting and methodology
-
-
-
Reporting-
13. 01. Planning
13Penetration testing reporting and methodology
Test name
Scope of Work
Contract or NDA
Conduct (Whitebox, Greybox,
Blackbox)
Type (Internal, External,
Application-layer, Network-layer)
Team detail
01
02
03
04
05
06
14. 02. Foot Printing
14Penetration testing reporting and methodology
- Multiple alerTs
- From one of
scanners
- Upload file
Foot
Printing
- Manual send alert
- Detailed information
about alert
Scan resport Alert
15. 03. Exploiting
15Penetration testing reporting and methodology
Alert Level - Low, Medium or High level of alert
Detailed information about alert
01
02
16. 04. Reporting & Compare
Detailed report for
developers
Short key information's for
managers
Report for managers
Archive
Staff
For compare reports
Compare
Style
Penetration testing reporting and methodology 16
17. Future Work
17
Open beta testing Start analyzing for new
features
Get new features
In process In process In process In process
Penetration testing reporting and methodology
Finish small works on
project