Penetration testing is a security assessment method consisting in modeling an attack by an attacker to detect vulnerabilities in the security system. This method is one of the most used today, because it gives a fairly accurate assessment of the security of an information system (IP).
Security, together with reliability, stability and performance, is one of the most important indicators of the effectiveness of IP. IP security refers to the relationship between the current security mechanisms and the existing risks in relation to it.
Factors Affecting Information System Security
The security of an information system is affected by three main factors:
- the availability of protection mechanisms and the possibility of their use to counter potential threats;
- the durability of existing protection mechanisms, which is assessed by their ability to withstand hacking or circumvention;
- damage resulting from the successful implementation of threats.
However, an accurate assessment of each of these factors is difficult because the damage and resilience of protection mechanisms is not easy to calculate. Speaking about the assessment of system security, it is necessary to understand what state of the system is protected. It is important to note here that there are no completely safe systems. Instead, in the context of systems security, they speak of degrees of trust in them. To assess the current level of IP protection, it is recommended to periodically conduct an information security audit.
One of the most effective methods for conducting it is penetration testing.
In general, there are six stages of penetration testing, each of which is equally important and has a direct dependence on other stages:
- planning and preparation, where agreements are concluded between the parties and a test plan is prepared;
- information gathering, where data is marked up on the network, active and passive information gathering;
- definition of vulnerabilities, where the presence of vulnerabilities is determined using automatic, special tools and equipment;
- exploitation (penetration), where the possibility of hacking through the found vulnerabilities is confirmed;
- fixing in the system where an attempt is made to increase privileges and installing backdoor – programs that are installed by crackers in the IS after obtaining initial access for the possibility of subsequent penetration;
- reporting, where pentesters provide information about all the vulnerabilities found and about the possibility of their elimination in an understandable form for the organization’s management.
For conducting penetration testing, there are methods and recommendations that detail the goals and objectives of the pentest. Among the relevant, the following can be distinguished:
- Open Source Security Testing Methodology Manual (OSSTMM)
- NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment (NIST SP 800-115)
- Information Systems Security Assessment Framework (ISSAF)
- Penetration Testing Execution Standard (PTES)
- OWASP Testing Guide
The authors of the NIST technique highlight the most common vulnerabilities that are identified during the attack phase:
- incorrect security settings (for example, unsafe standard system settings);
- vulnerabilities in the kernel (critical vulnerabilities found in the source code of the operating system that could harm the entire system);
- buffer overflow (occurs if there are no checks on the size of the input data, which can lead to incorrect operation of the program and the launch of malicious code with its access rights);
- insufficient input verification (lack of checks on the contents of input lines and files can lead to the launch of malicious commands, for example, SQL injections);
- symbolic links (an attacker can deceive the system by creating a symbolic link that changes the file permissions to the files necessary for him);
- situations of competition between processes (an attacker can take advantage of processes with a high level of access by changing the order of their execution and manipulating the results in order to gain access to them);
- incorrect access rights to the file or directory (which leads to various kinds of information leaks).
The Information Systems Security Assessment Framework (ISSAF) penetration testing methodology was developed by OISSG (Open Information Systems Security Group) in 2006. This methodology covers all aspects related to security assessment: from the organizational level (for example, the impact on business and organizational models) to practical techniques (for example, checking the security of passwords, systems, networks).
Penetration Testing Execution Standard (PTES) was created in 2011 by a group of information security experts from various fields of activity. PTES quickly gained popularity among pentesters because it contained detailed information on most aspects of pentest.
PTES consists of seven main sections that cover all aspects of penetration testing:
- preliminary approvals, where the issues of determining the boundaries of testing, its dates, metrics, the procedure for compiling testing documentation and other issues related to preliminary procedures are considered;
- collection of information, which describes techniques for researching the target, allowing to collect the maximum amount of information useful for testing information about it;
- threat modeling, which contains recommendations for building a threat model for the organization;
- vulnerability analysis, which describes the basic principles of vulnerability search in the system;
- operation, which describes techniques for gaining access and bypassing defense mechanisms using previously found vulnerabilities;
- post-operation, which describes techniques to understand the value of a compromised system and the installation of hidden opportunities for interaction with it in the future;
- reporting, which provides the main criteria that are taken into account when compiling the test report.
A brief review of three of the most popular penetration testing techniques makes it possible to conclude that many aspects of the techniques coincide. However, despite the presence of coincidences, each of them is unique in its own way.