Pen-testing Fundamental
Pen-testing Ethics
Pentesting is an auhtorized audit of a computer system's security and defences as agreed by the the owners of the systems.
Companies that provide pentest a re held against legal framework and industry accreditation.
Rules of Engagement
A document that is created at the initial stages of a penetration testing engagement.
Three Sections:
Section
Description
Permission
This section of the document gives explicit permission for the engagement to be carried out
Test Scope
This section of the doucment will annotate specific targets to which the engagement should apply
Rules
The rules section will define exactly the techniques that are permitted during the engagement
Pentesting Methodlogies
The steps a penetration tester takes during an engagement is known as the methodology.
Stages of pentesting
Stage
Description
Information Gathering
This stage involves collecting as much publically accessible information about a target/organistation as possible, for example, OSINT and research.
Enumeration/Scanning
This stage involves leveraging vulnerabilities discovered on a system or application.
Privilege Escalation
This stage you try to expand your access
Post-exploitation
What other hosts can be targeted, What additional information can we gather from the host, Covering your tracks, Reporting
OSSTMM
The Open Source Security Testing Methodology Manual
Provides a detailed framework for testing
Includes methodology for :
Telecommunications
Wired Networks
Wireless Communications
OWASP
Open Web Application Security Project
Community driven and frequently updated framework used solely to test the security of web applications and services.
Advantages
Disadvantages
Easy to pick up and understand
It may be not be clear what type of vulnerabilities a web application has
Actively maintained and freequently updated
OWASP does not make suggestions to any software development life cycles
It covers all stages of an engagement
The framework doesn't hold any accreditation such as CHECK
Specialises in web application and services
NIST Cybersecurity Framework 1.1
National Institute of Standards and Technology CyberSecurity Framework
Popular to improve an organisations cybersecurity standards and manage the risks of cyber threats.
Provides guidelines on security controls and benchmarks for success for organisations from critical infrastructure.
NCSC CAF
National Cyber Security Centre Cyber Assessment Framework
The framework applies to organisations considered to perform "vitally important services and activities" such as critical infrastructure, banking, and the likes.
Advantages
Disadvantages
This framework is backed by a government cybersecurity agency.
The framework is still new in the industry, meaning that organisations haven't had much time to make the necessary changes to be suitable for it.
This framework provides accreditation
the framework is based on principles and ideas and isn't as direct as having rules like some other frameworks.
This framework covers fourteen principles which range from security to response
BLACK BOX, WHITE BOX, GREY BOX TESTING
Name
Definition
Black Box Testing
A high level process where the tester is given no information about the inner workings of the application
White Box Testing
Low-Level Process, Usually done by a software developer, Tester has full knowledge of the application and its expected behavior
Grey Box Testing
Most Popular Process, Combination of white and black box testing, tester has limited knowledge of the internal components of the application.
The CIA Triad
Information security module
Being used since 1998
Three sections:
Confidentiality
Protection of data from unauthorised access and misuse.
Integrity
Information is kept accurate and consistent unless authorised changes are made.
Availability
Data must be available and accessible by the user.
Principles of Privileges
It is vital to administrate and correctly define the various levels of access to an information technology system individual require.
Levels of access determined on two factors:
Individual's role/function within the organisation
The sensitivity of the information
Two key concepts:
Privileged Identity Management (PIM)
Used to translate a user's role within an organisation into an access role on a system.
Privileged Access Management (PAM)
Management of the privileges a system's access role has
Principle of least privilege
Users should be given minimum amount of privileges, and only those that are absolutely necessary for them.
Security Models
Name
Definition
Advantages
Disadvantages
The Bell-La Padula Model
Used to achieve confidentiality. Has few assumptions. Works by granting access to piece of data on a strictly need to know basis. popular with organisations like government and military. As members of this organisation are vetted
Policies in this model can be replicated to real-life organisations hierarchies.
even though a user may not have access to an object, they will know about it's existence.
Simple to implement and understand, and has been proven to be successful.
The model relies on a large amount of trust within the organisation.
Biba Model
Equivalent of Bell-La Padula model but for integrity of the CIA triad. This model applies the "no write up, no read down".
This model is simple to implement
There will be many levels of access and objects.
Resolves the limitations of the Bell-La Padula model by addressing both confidentiality and data integrity
Often results in delays within a business.
Threat Modelling and Incidence Report
Threat modelling process of reviewing, improving, and testing the security protocols in place in an organisation's information technology infrastructure and service.
An effective threat model includes:
Threat Intelligence
Assest Identification
Mitigation Capabilities
Risk Assessment
Frameworks
STRIDE
Name
Description
Spoofing
This principle requires you to authenticate requests and users accessing a system. Spoofing involves a malicious party falsely identifying itself as another. Access keys or signatures via encryption helps remediate this threat.
Tampering
By providing anti-tampering measures to a system or application, you help provide integrity to the data. Data that is accessed must be kept integral and accurate.
Repudiation
This principle dictates the use of services such as logging of activity for a system or application to track.
Information Disclosure
Applications or services that handle information of multiple users need to be appropriately configured to only show information relevant to the owner is shown
Denial Service
Applications and services use up system resources, these two tings should have measures in place so that abuse of the application/ service won't result in bringing the whole system down.
Elevation of Privilege
This is the worst-case scenario fr an application or service. It means that a user was able to escalate their authorisation to that of a higher level i.e. an administrator. This scenario often leads to further exploitation or information disclosure.
Stride was authored by two microsoft security researchers in 1999
PASTA
Process for Attack Simulation and Threat Analysation
💡
A breach of security is known as incident. Actions taken to resolve and remediate the threat are known as Incident Response
Incidents are classified using a rating if urgency and impact.
💡
CSIRT (Computer Security Incident Response Team) is a prearranged group of employees with technical knowledge about the system and/or about the current incident.
Phases of incident response
Action
Description
Preparation
Do we have the resource and plans in place to deal with the security incident?
Identification
Has the threat and threat actor been correctly identified?
Containment
Can the threat/security incident be contained?
Eradication
Remove the active threat
Recovery
Perform a full review of the impacted system.
Lessons Learned
What ca be learned from the incident?
Last updated
Was this helpful?