penetration testing - our methodology

Aura Information Security’s methodology is based on the Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP). 

We use a combination of commercial scanning applications as well as the very latest open source tools. These open source tools are very important in the test process because they are freely available and are what today’s hackers use to exploit a system.

Whilst running a security test in a live environment is a true reflection of the impact of a hacker penetrating the system, it is Aura’s preference to run invasive tests in a staging environment so that components can be tested in isolation. This is because some of the more invasive tools can result in a higher network load slowing the network or even causing a denial of service (DOS). If a staging environment is not possible, care is always taken to minimise disruptions however this is a somewhat more risky approach.



Planning & Preparation

In order to make the penetration test a success, the following will need to be finalised:
• Scope and objectives
• Communications channels
• Timing and duration of the tests
• Discussion of the tests
• Will staff be notified of the test? (i.e. when testing Intrusion Detection Systems should your support staff be pre-warned?)
• Are relevant contractual documents in order? e.g. non-disclosure.


Information Gathering & Analysis

The next step is to gather as much information as possible about the targeted systems or networks. You’ve stated that this will be a “black box” engagement, meaning we will have little or no access to information of the systems. Information gathering is a crucial step in any penetration test. 

The results of this stage will include:
• Initial information – Search publicly assessable web sites for company information.
• Range – gather the address range for the network.
• Active Machines – How many machines are actively running?
• Open Ports – This defines possible entry points into a system.
• Fingerprint the OS – Scan for the version and patch level of the target systems.
• Services – Obtain what is running on each port.
• Create a Network Map – This will help clarify and visualize the entire network


Vulnerability Detection

We then determine if vulnerabilities exist on the targeted systems. This is done by running a vulnerability detection tool that contains a database of known exploits. 

Searches of online databases are also carried out to identify any exploits of exposed services that may be possible. 

The Vulnerability Detection stage can produce a number of false-positives so the tester must then manually verify that these vulnerabilities do in fact exist on the targeted systems.


Penetration Attempt

This is the core part of the security test process, where actual tests are performed. 
Every test performed has the following characteristics defined:
• What is classed as success or failure of a test?
e.g. can we access the server? Or can we gain Administrator access? 
• What are the possible impacts of a test?
e.g. a test may impact the server’s response time, and therefore will have to be performed out of hours.
• Is the security test performed as an outside test (from the public internet) or is it an “insider” attacking attempt against the web-servers? This point is important, as insider attacks will test the web-server directly, to identify potentially weak systems that are shielded by the firewalls.


Analysis & Reporting

After conducting all the steps above, the next task ahead is to generate a report for the organization.

The report delivered at the end of the engagement will include the following:

• Detailed listing of all information gathered during the security testing.
• Summary of all unsuccessful penetration scenarios, describing the measures that are in place that protected the systems.
• Summary of any successful penetration scenarios.
• Detailed listing of all vulnerabilities found including:
- Description of vulnerability found.
- Impact of the vulnerability.
- Suggestions and techniques to resolve vulnerabilities.
• Ongoing recommendations


Cleaning up

A detailed list of all actions performed during the Security test will be kept. This is vital so that any cleaning up of the system can be done.
Any documentation that is deemed sensitive and confidential will either be returned, destroyed or securely archived.

 


One of the crucial factors in the success of a security test is the underlying methodology. Lack of a formal methodology means no consistency. While a penetration tester's skills need to be specialized for the job, the approach shouldn't be. In other words, a formal methodology should provide a disciplined framework for conducting a complete and accurate penetration test, but need not be restrictive - it should allow the tester to fully explore his intuitions.