Pen Testing 1

Standard Operating Procedure and Attack Tree for Pen Testing

By

(Student’s Name)

Tutor’s Name

Institution Affiliation

City/State

Due Date
 Pen Testing 2

Background and Context

In today's modern world, when many organisations function digitally or online, penetration

testing is essential. Many companies have shifted their internal processes and corporate

operations online. It's possible that this was done to boost productivity and effectiveness. As a

result, hackers frequently target these corporations. This is clear from a report by IBM on Data

Breach Security (2021). Accidents now cost more money and are more difficult to contain. The

goal of developing tools and approaches by cybersecurity experts is to lessen the number of

attacks. One way employed is penetration testing procedures, which were developed primarily to

assess the system's overall security and find any holes that hackers could exploit (Das, 2019).

The following are the three main types of penetration testing.

 Black Box Testing: This testing blinds the testers to the target. System dynamics are the

major focus of penetration testing. The penetration tester will often create a network map

from their system observations. Because testers and developers work independently, this

testing technique is objective (Hamilton, 2019). Users, not developers, undertake this

type of testing. Test cases might be difficult to create without technical specifications. It

can take a long time to test every input stream, therefore numerous input channels may go

untested.

 White Box Testing- This method is also used to test software for errors. The testing team

understands the application's internal structure. It verifies software components and finds

security vulnerabilities. Error detection, input path improvement, and code optimization

are the main benefits. White box testing, albeit vital, takes time. Professional expertise is

needed to understand a program's inner workings.

 Pen Testing 3

 Grey Box Testing- This combines white-box and black-box testing. Because of this, the

testing team will only have a partial understanding of the system's structure (Hamilton,

2019). The testing group usually has full system access like other users. The benefits

come from evaluating systems from users' perspectives. It doesn't favour testers or

developers; thus it doesn't cause conflict between them. It's also hard to find bugs in

distributed systems and generate adequate test cases for them.

A penetration test's planning phase involves an in-depth investigation of the system's current

status and the best strategy to address the problem. An effective penetration test begins with

choosing the optimal strategy and methodology (Moradov, 2021). A SOP and Decision/Attack

tree are needed to standardise testing and quality control. During security test preparation, the

asking entity negotiates the ground rules and important scope.

This report will outline the effective penetration testing methodologies for external attacks,

analyze them, and rate them on a scale of effectiveness. Given the tester's lack of familiarity with

the system and the fact that all they have been given as a guide is an IP address, black box testing

seems like the best option. It is crucial to determine the type of test to be conducted so that a

corresponding standard operating procedure (SOP) can be written, the proper penetration testing

methodology can be determined, and an attack/decision tree can be constructed.

Penetration Testing

Penetration testing evaluates security from a hacker's perspective (Core Security, 2019).

Penetration testing is used by businesses to prevent system and resource attacks. Also,

penetration testing finds and assesses network security problems before they may be exploited.

Before accessing a system's architecture, security professionals do a series of tests. It exploits

 Pen Testing 4

system vulnerabilities by simulating a violent assault (Scarfone et al., 2016). Data and

infrastructure protection need a well-defined method. Failure to adopt well-crafted ideas gives

corporations a false sense of security. The report covers OSSTM, OWASP, and Penetration

Testing Methodology and Standards (PTES).

Open-Source Security Testing Methodology Manual (OSSTMM)

The Open-Source Security Testing Technique Manual that was developed for black box testing

(Rounsavall, 2017). Today, OSSTMM is frequently utilised for network security. This

methodology uses scientific methods to classify security controls. These strategies will improve

the business's efficiency and cost control. Scope, Channels, Indexes, and Vectors are the

technique's four essential components. Scope describes gathering information about the target's

surroundings. Channel will explain testing environment interactions. Channel will select a

specific set of security characteristics to analyse and specify throughout the evaluation phase.

(Packethub).

The main advantage of OSSTMM methodology.

 OSSTMM reduces false positive and negative values for more accurate security

measurements.

 This framework is easily adaptable to different testing methods. Vulnerability

assessments, white-box, black-box, and grey-box testing.

 This method ensures thorough, trustworthy, and quantitative security evaluations.

 OSSTMM keeps up with trends, security threats, and ethics.

 Pen Testing 5

However, this method has drawbacks, though. OSSTMM is limited because it is used for

auditing. It provides no tolls or approaches for competing modules. Security experts may also

need specific skills to efficiently complete each phase.

Open Web Application Security Project (OWASP)

OWASP is a non-profit organization that primarily focused on increasing software online

security (Agus et al., 2019). It gives numerous tools resources and guidelines, including includes

open-source licenses and OWASP testing guide. OWASP provides a comprehensive list of web

application vulnerability categories and recommendations on how to mitigate or patch them to

assist businesses defend their external and internal web-based applications.

Advantages

 Makes systems more resilient to faults and malfunctions

 Enhances the level of encryption.

 Raises the likelihood that an application will succeed.

 Enhances the reputation of the software development company.

Disadvantages

 It can take a lot of time.

 There isn't always support material.

 For it to be successful, it needs a lot of human thought and expertise.

Penetration Testing Execution Standard (PTES)

PTES is a penetration testing method. It was designed by a group of information security

professionals to meet the need for an extensive and current penetration testing standard
 Pen Testing 6

(GeeksforGeeks, 2019). It helps security specialists and organisations define and negotiate

successful projects by educating them about penetration tests. The Penetration Testing Execution

Standard provides a complete penetration testing platform and it's meant to streamline testing

and reporting. The PTES standard consists of seven phases: Planning, gathering information,

Threat analysis, vulnerability assessment, Post-exploitation and Reporting.

Advantages

 It contributes to provide thorough protection.

 It is open source and free.

 It promotes process uniformity.

PTES helps testers choose the best penetration testing method for their organisation. It can be

used alone or with other tests.

Standard Operating Procedure PTES for a Pen Test

A Standard Operating Procedure (SOP) for a pen test is a formal document that details the steps

a pen tester must take. It entails writing a set of instructions, but in this instance, we'll be

conducting a SOP employing Penetration Testing Execution Standard approaches (Vigzy, 2021).

The PTES standard operating procedure is broken down into the following phases.
 Pen Testing 7

Decision Tree Analysis for Penetrating Testing

An attack tree is a visual depiction of the sequence of events that will take place during an attack,

however we will be creating our own Decision Tree Analysis for a Penetration Test.

NIST Decision Tree Analysis

The NIST methodology, which aims to offer a pictorial depiction of the processes required for

the tester to conduct a pen test, serves as an illustration of an attack tree.

1. Planning is the procedure of coming up with ideas for the pen testing-related tasks that

need to be completed. i.e., what equipment/software is required

2. Discovery - This entails gathering the data that was discovered in order to perform out

the following stage

3. Attack – Using the strategy and data gathered during the earlier phases, the pen tester

conducts the penetration test.

4. Reporting - The method of constructing a test report using data from the NIST Decision

Tree.

Developing a Decision Tree Analysis

 Pen Testing 8

The attack tree has been established and subsequently developed using the NIST example, as

seen in the figure below.

It may be claimed that an IP address was given during the planning phase. Utilizes the IP address

subsequent to the Discovery phase to learn more about the victim. If any further flaws are

discovered during the Attack phase, they are logged into the Discovery phase before continuing

with the Attack phase until none are discovered. The last section of the report contains all the

statistics and information acquired during the various stages of the more advanced NIST

Decision Tree Analysis.

 Pen Testing 9

References List

Agus, I., Pratama, E., Bagus, A. and Wiradarma, A. (2019). Computer Network and Information

Security. Computer Network and Information Security, [online] 7, pp.8–12.

doi:10.5815/ijcnis.2019.07.02.

Core Security (2019). Penetration testing for IT infrastructure. [online] Core Security. Available

at: https://www.coresecurity.com/penetration-testing.

Das, R. (2019). The Types of Penetration Testing [Updated 2019]. [online] Infosec Resources.

Available at: https://resources.infosecinstitute.com/topic/the-types-of-penetration-

testing/.

geeksforgeeks (2019). Penetration Testing Execution Standard (PTES). [online] GeeksforGeeks.

Available at: https://www.geeksforgeeks.org/penetration-testing-execution-standard-

ptes/.

Hamilton, T. (2019). What is BLACK Box Testing? Techniques, Example & Types. [online]

Guru99.com. Available at: https://www.guru99.com/black-box-testing.html.

Moradov, O. (2021). Security Testing: Types, Tools, and Best Practices. [online] Bright Security.

Available at: https://brightsec.com/blog/security-testing/.

Rounsavall, R. (2017). open-source security testing methodology manual - an overview |

ScienceDirect Topics. [online] Sciencedirect.com. Available at:

https://www.sciencedirect.com/topics/computer-science/open-source-security-testing-

methodology-manual.
 Pen Testing 10

Scarfone, K., Souppaya, M., Cody, A. and Orebaugh, A. (2016). Special Publication 800-115

Technical Guide to Information Security Testing and Assessment Recommendations of

the National Institute of Standards and Technology. [online] Available at:

https://www.govinfo.gov/content/pkg/GOVPUB-C13-

894df23cbad6ad74af7d49c17b081dd1/pdf/GOVPUB-C13-

894df23cbad6ad74af7d49c17b081dd1.pdf.

Vigzy (2021). Penetration Test. [online] vgizy notes. Available at:

http://www.vgizy.com/penetration-test/ [Accessed 27 Nov. 2022].