Penetration Testing Execution Standard
- 5th Jun, 2019
- 18:23 PM
The executive standard of penetration testing constitutes seven sections and this covers everything ranging from the initial communication to the reasons which lie behind the pentests and these are accompanied with the threat modelling and intelligence gathering phases which all intend to increase the comprehension of the tested organization through exploitation, vulnerability research and the post-exploitation ("Importance of Reconnaissance in Pentesting | Web Application Security, Open Source Intelligence", 2018). Then it heads to the reporting part so that the customers are able to make sense of the entire process. This testing helps in simulating the real cyber-attacks either indirectly or directly to tighten the security systems and also gain access to the information assists of the company. The entire process is not just confined to the playing or using the automated tools and this completes with the production of reports and also collecting the checks. Overall PTES is a widely accepted norm and is used as a way to lay down the fundamental principles for doing the tests of penetration.
Already the version 1.0 is existing and a version 2.0 is also considered. The seven steps of this PTES are:
Step 1- Pre- engagement interactions
Step 2 - Intelligence gathering
Step 3 - Threat Modelling
Step 4 - Vulnerability Analysis
Step 5 - Exploitation
Step 6 - Post exploitation
Step 7 - Reporting
Out of all, the area of the model which is found interesting is the intelligence gathering activities. Though all the steps are found to be important this specific one has caught the attention. This is considered strategy as this forms the basis as this helps in detailing about the thought processes and the goals which needed to be accomplished in the process and makes it easy for the readers to know about the preparation of a strategic plan for the target attacks. This is also the first stage in which the actions are planned and taken against the target. When a person places importance on the cybersecurity then the awareness must be available about the information which is known to him and to the business. This understanding would eventually reduce the probability of happening of negative happenings in the future and this way the main motive of the penetration testing can be achieved through this intelligence gathering processes ("Intelligence Gathering - The Penetration Testing Execution Standard", 2018). The processes and the methods which are employees of the organizations for the intelligence gathering tell about the fate of the penetration testing. This makes it easy to determine the entry points available in the Arabization and such entry points could be electronic, physical or Human. This helps the companies in realizing that how the information which is made available by them can be used by the attackers and this even makes the employees aware about the information they have placed in public and which may have power to hurt the employers as well ("Vulnerability Analysis - The Penetration Testing Execution Standard", 2018). So just like a building the intelligence gathering forms the foundation stone of the PTES building. Then besides this the intelligence gathering involves the performing of the reconnaissance against the target so as to collect as much information as much possible and this information is used at the time of the penetrating the target during the exploitation and assessment phases. The more information if can be gathered at this stage then better are the chances for designing more vectors of attack that may be available to the companies ("Penetration Testing: Intelligence Gathering", 2018).
Then this stage also helps in knowing about the areas which may cause risks and though this stage effort is being made to know more about the security postures and simply how organizations can be attacked. The information pieces which are obtained in this intelligence gathering would aid in providing valuable insights about the characteristics which a security system must possess. Then to make things more interesting the information can be collected using three ways which includes active information gathering, passive and semi-passive ("VULNERABILITY ASSESSMENT & PENETRATION TESTING (VAPT)", 2018). The adoption of techniques can be done in combination or each other or could be used separately. This way some of the aspects have been discussed about PTES and also that how the stage of intelligence gathering is an important part of it. There is no one stop solution for doing this intelligence gathering and multiple helps or tools are available for unearthing the information. The usage of the tools has to be done in an apt manner so that the right information can be extracted from them and also help to obtain trivial information as it may likely cause a huge impact on the information and on the analysis.
Importance of Reconnaissance in Pentesting | Web Application Security, Open Source Intelligence. (2018). Retrieved from http://octogence.com/blog/reconnaissance/
Intelligence Gathering - The Penetration Testing Execution Standard. (2018). Retrieved from http://www.pentest-standard.org/index.php/Intelligence_Gathering
Penetration Testing: Intelligence Gathering. (2018). Retrieved from https://resources.infosecinstitute.com/penetration-testing-intelligence-gathering/#gref
Vulnerability Analysis - The Penetration Testing Execution Standard. (2018). Retrieved from http://www.pentest-standard.org/index.php/Vulnerability_Analysis
VULNERABILITY ASSESSMENT & PENETRATION TESTING (VAPT). (2018). International Journal Of Recent Trends In Engineering And Research, 4(3), 326-330. doi: 10.23883/ijrter.2018.4135.tru9