Module 1: Penetration Testing Processes
Penetration Testing Life Cycle
1. Performing reconnaissance 2. Scanning and enumeration 3. Establishing access 4. Maintaining access 5. Reporting **difference is the focus on the documentation of the penetration test. A detailed report of the tests performed and everything that was discovered is important.**
Blue Team
A defensive security team that attempts to close vulnerabilities and stop the red team.
What is a cyber terrorist?
A hacker motivated by religious or political beliefs who wants to create severe disruption or widespread fear.
What is a suicide hacker?
A hacker who is concerned only with taking down the target for a cause.
What is a state-sponsored hacker?
A hacker who works for a government and attempts to gain top-secret information by hacking other governments.
What is a hacktivist?
A hacker whose main purpose is to protest an event or situation and draw attention to their own views and opinions.
Who should be consulted when there are questions or concerns regarding laws and regulations?
A lawyer
Who should be consulted when there is doubt about the course of action to take?
A lawyer
Purple team
A mixture of both red and blue teams.
What is a gray hat hacker?
A skilled hacker who falls in the middle of the white hat and black hat hackers. The gray hat may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.
What is a white hat hacker?
A skilled hacker who uses skills and knowledge for defensive purposes only. The __ hacker interacts only with systems for which express access permission has been given.
What is a black hat hacker?
A skilled hacker who uses skills and knowledge for illegal or malicious purposes.
What is an advanced persistent threat?
A stealthy attack that gains access to a network or computer system and remains hidden for an extended period of time. This means that the hacker can keep going back undetected for quite a while.
What is an advanced persistent threat (APT)?
A stealthy computer network attack in which a person or group gains unauthorized access to a network and remains undetected for an extended period.
What is a compliance-based penetration test?
A test performed to ensure that the organization is in compliance with federal laws and regulations.
What is a goal-based penetration test?
A test that focuses on specific and well-defined goals.
What is an objective-based penetration test?
A test that focuses on the overall security of the organization and its data security.
What is a penetration test?
A test to identify vulnerabilities in a system.
What is a white box test?
A test where the tester has full knowledge of the system.
What is a black box test?
A test where the tester has no prior knowledge of the system.
What issues can arise when dealing with third-party systems?
Accidental access to third party's systems and vulnerabilities that can affect the third party.
What should the penetration tester and organization do when faced with different state laws?
Agree on which set of laws to adhere to
What is the Wassenaar Arrangement?
An agreement on export controls for conventional arms and dual-use goods and technologies between 41 countries.
What is a script kiddie?
An extremely unskilled person who uses tools and scripts developed by real hackers.
Red Team
An offensive security team that attempts to discover vulnerabilities in a network or computer system.
What is off-limits to the ethical hacker?
Anything not listed in the Scope of Work document.
Open Source Security Testing Methodology Manual (OSSTMM)
Attempts to create one accepted method for a thorough security test.
What are the four common methods for dealing with risk?
Avoidance: whenever you can avoid a risk, you should. This means performing only actions that are needed, such as collecting only relevant user data. Transference: the process of moving the risk to another entity, such as a third party. Mitigation: this technique is also known as risk reduction. When the risk cannot be avoided or transferred, steps should be taken to reduce the damage that can occur. Acceptance: sometimes the cost to mitigate a risk outweighs the risk's potentially damaging effects. In such cases, the organization will simply accept the risk.
How can ethical scenarios be addressed in penetration testing?
By following established guidelines, obtaining proper permissions, and maintaining open communication with clients.
What does a Master Service Agreement make easier?
Completing future contracts as most details are already spelled out.
What is the potential impact of unethical penetration testing?
Compromised systems, legal consequences, and damage to reputation.
What issues arose from the 2013 amendment to the Wassenaar Arrangement?
Confusion and issues in the cybersecurity field due to the overlap between penetration testing tools and malicious hacking tools.
Master service agreement (MSA)
Contract governing future actions and services.
Non-disclosure agreement (NDA)
Contract outlining confidentiality during security assessments.
What types of payment cards does PCI-DSS cover?
Debit cards, credit cards, prepaid cards, and others.
Scope of Work (SOW)
Defines exactly what a project will entail. It is also known as a statement of work.
Rules of engagement
Defines how the penetration test will be carried out.
Open Web Application Security Project (OWASP)
Describes techniques for testing the most common web applications and web service security issues.
What is the Scope of Work document?
Detailed document outlining the details of a project.
What does the Scope of Work document include?
Details of system aspects, IP ranges, servers, and applications.
What are some examples of ethical scenarios in penetration testing?
Determining the scope of testing, obtaining proper permissions, and handling sensitive data.
What is one ethical issue that can arise for an ethical hacker?
Different laws in different states
What should the ethical hacker do when they come across data that is not a mandated report?
Disclose it to the client
Permission to test
Document authorizing penetration testing.
What is a risk assessment?
Evaluation of potential risks and vulnerabilities.
What should be done when a change to the scope of work is requested?
Fill out a change order and agree on the additional tasks.
What other details are listed in the Rules of Engagement document?
Handling sensitive data and who to notify in case of issues.
What areas should a risk assessment look at?
High value data, network systems, web applications, online information, and physical security.
What does the Rules of Engagement document define?
How the penetration test will be carried out.
What should the ethical hacker do when they come across child pornography?
Immediately report it
When was SOX enacted?
In 2002.
When was the Wassenaar Arrangement amended to include intrusion software?
In 2013.
Performing reconnaissance
In this phase, the hacker begins gathering information about the target. This can include gathering publicly available information, using social engineering techniques, or even dumpster diving.
Establishing access
In this phase, the hacker uses all the information gathered through reconnaissance and scanning to exploit any vulnerabilities found and gain access.
What is the consequence of not addressing scope creep?
Increased risk of project failure and inefficiency.
National Institute of Standards and Technology Special Publication 800-115 (NIST SP 800-115)
Is a guide to the basic technical aspects of conducting information security assessments.
What must be completed and agreed on before a penetration test can begin?
Key documents
Title 18, Chapter 47, Sections 1029 and 1030
Key federal laws on hacking.
Physical security
Measures taken to protect physical assets and facilities.
Maintaining access
Once the hacker has gained access, he can use backdoors, rootkits, or Trojans to establish permanent access to the system.
Who does HIPAA ensure health information is shared with?
Only the patient and medical professionals who need it.
What are some common corporate policies?
Password policies, update frequency, handling sensitive data, bring your own devices
What are some examples of laws and regulations that may require compliance-based penetration tests?
Payment Card Industry Data Security Standards (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), ISO/IEC 27001, Sarbanes Oxley Act (SOX), Digital Millennium Copyright Act (DMCA), Federal Information Security Standards (FISMA).
Ethical hacking
Perpetrating exploits against a system with the intent to find vulnerabilities so that security weaknesses can be addressed and the system can be made more secure.
BYOD
Policies governing employee-owned devices in an organization.
What does ISO/IEC 27001 define?
Processes and requirements for information security management systems.
Five Phases of Ethical Hacking
Reconnaissance: also known as the preparatory phase, the reconnaissance phase is the phase in which the hacker gathers information about a target before launching an attack. This task is completed in phases prior to exploiting system vulnerabilities. Scanning: in the scanning phase, the hacker identifies a quick way to gain access to the network and look for information. Gain access: hackers gain access to the system, applications, and network, and then escalate user privileges to take control of systems. Maintain access: the hacker continues accessing the organization's systems to launch additional attacks on the network. Cover your tracks: after the hacker gains access, it is necessary to cover evidence of the system having been hacked to avoid being detected by security personnel.
Section 1029
Refers to fraud and related activity with access devices.
Section 1030
Refers to fraud and related activity with computers or network-connected devices.
What is FISMA?
Regulation for handling federal government data and assets.
What is DMCA?
Regulation for protecting copyrighted works.
What is SOX?
Regulation for transparency in corporate governance and financial reporting.
What should a penetration tester do if they come across vulnerabilities in a third-party system?
Report findings to the client and let the client handle the reporting.
What is ISO/IEC 27001?
Requirements for information security management systems.
What should be done with corporate policies during a risk assessment and penetration test?
Review and test them
What are corporate policies?
Rules and regulations defined by the organization
What documents specify what is to be tested in an objective-based penetration test?
Scope of work and rules of engagement.
What is PCI-DSS?
Security standards for handling payment card information.
What are ethical scenarios in penetration testing?
Situations where ethical considerations and decisions need to be made during the testing process.
What considerations need to be made when dealing with cloud-based systems?
Special permission is required from the cloud provider before conducting penetration tests.
What are the characteristics of S.M.A.R.T. goals in a goal-based pentest?
Specific, Measurable, Attainable, Relevant, Timely.
What is HIPAA?
Standards for protecting health information.
What does the Scope of Work document define?
Test's time frame, purpose, and any special considerations.
Black Box
The ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores the insider threats.
White Box
The ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic.
Gray Box
The ethical hacker is given partial information of the target or network, such as IP configurations or emails lists. This test simulates an insider threat.
Clearing tracks
The final step in the hacking process is clearing tracks. The hacker overwrites log files to hide the fact they were ever there.
Penetration testing
The practice of finding vulnerabilities and risks with the purpose of securing the computer or network system.
Threat Modeling
The process of analyzing the security of the organization and determine security holes.
What is threat modeling?
The process of analyzing the security of the organization and determine security holes.
What can scope creep cause in a project?
The project to go off track and increase time and resource requirements.
What is the purpose of determining tolerance in a risk assessment?
To decide the level of risk the organization is willing to accept.
Why are ethical scenarios important in penetration testing?
To ensure that testing is conducted responsibly and within legal and ethical boundaries.
What is the purpose of a risk assessment?
To identify areas of vulnerability within the organization's network.
What is the role of a penetration tester in ethical scenarios?
To make informed decisions and prioritize the security and privacy of the systems being tested.
What is the purpose of the key documents?
To protect both the organization and the penetration tester
What is the purpose of updating the Wassenaar Arrangement in 2018?
To provide clarity and ease for penetration testers involved in international testing.
What is scope creep in project management?
When the client requests small deviations from the scope of work.
What are the different types of tests defined in the Rules of Engagement document?
White box, gray box, or black box test.
Scanning and enumeration
__ is a natural extension of reconnaissance. The hacker uses various tools to gather in-depth information about the network, computer systems, live systems, open ports, and other features. Extracting information such as usernames, computer names, network resources, shares, and services is known as enumeration. __ is a part of the scanning step.
