One of the crucial factors in the success of a pen-test is the underlying methodology. Lack of a formal methodology means no consistency -- and I am sure -- you don't want to be the one paying and watching the testers poking around cluelessly. While a penetration tester's skills need to be specialized for the job, the approach shouldn't be. In other words, a formal methodology should provide a disciplined framework for conducting a complete and accurate penetration test, but need not be restrictive -- it should allow the tester to fully explore his intuitions.
The Open Source Security Testing Methodology Manual (OSSTMM) by Pete Herzog has become a de-facto methodology for performing penetration testing and obtaining security metrics. According to Pete Herzog, "The primary goal of the OSSTMM is to provide transparency. It provides transparency of those who have inadequate security configurations and policies. It provides transparency of those who perform inadequate security and penetration tests. It provides transparency of the unscrupulous security vendors vying to sponge up every last cent of their prey's already meager security budget; those who would side-step business values with over-hyped threats of legal compliancy, cyber-terrorism, and hackers. The OSSTMM covers the whole process of risk assessment involved in a penetration test, from initial requirements analysis to report generation. The six areas of testing methodology covered are:
- Information security
- Process security
- Internet technology security
- Communications security
- Wireless security
- Physical security
The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
The National Institute of Standards and Technology (NIST) discusses penetration testing in Special Publication 800-42, Guideline on Network Security Testing. NIST's methodology is less comprehensive than the OSSTMM however it is more likely to be accepted by regulatory agencies.
Another area that requires attention is the penetration testing service provider. One of the biggest fears that every organization faces during a pen-test process is the chance of sensitive information being passed on to the wrong hands. Therefore, it becomes really important to gather as much information about the company (such as their technical abilities, certifications, experiences, methodology and tools employed) and make sure that you are dealing with professionals. In addition, there are several professional and government certifications that indicate the firm's trustworthiness and conformance to industry best practice.
Standards in penetration testing
Let's take a look at some of the standards and guidelines available:
Standards for Information Systems Auditing (ISACA): ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification.
CHECK: The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. CHECK consultants are only required when the assessment for HMG or related parties, and meets the requirements above. In the absence of other standards, CHECK became the de-facto standard for penetration tests and penetration testing in the UK. Companies belonging to CHECK must have employees that are security cleared and have passed the CESG Hacking Assault Course. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association.
OSSTMM: The aim of The Open Source Security Testing Methodology Manual is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organization concerns, such as the corporate profile of the penetration-testing provider.
OWASP: The Open Web Application Security Project (OWASP) is an open source community project developing software tools and knowledge based documentation that helps people secure Web applications and Web services. OWASP is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of Web applications and Web Services. In short, the Open Web Application Security Project aims to help everyone and anyone build more secure Web applications and Web services.
ConclusionSecurity is continuum, not an absolute. The value of penetration testing lies in its results -- the ones that answer the big question "WHY?" A successful penetration test indicates more than a particular flaw, it identifies the process failures that produced the vulnerability, at the first place. Fixing or patching the vulnerability detected does not mean an end to your security worries or nightmares -- it is just the beginning of a never-ending cycle.
The CRUX: A penetration test does not guarantee absolute security – it's just a measurement of your security posture. So, "never have a false sense of security."
References for this series:
- OSSTMM: The Open Source Security Testing Methodology Manual.
- OWASP: The Open Web Application Security Project.
- CICA ITAC: Ethical Hacking Technique to Assess information Security risk.
- Corsaire: Penetration testing guide.
Puneet Mehta is a Security Architect, at SDG Corporation, an e-security consulting and an e-business software services and solutions firm headquartered in Connecticut.
Puneet is also a valuable member of the expert panel on SearchNetworking.com answering member questions about network security. He has also published several popular articles: