Acta Informatica Pragensia 2016, 5(2), 98-117 | DOI: 10.18267/j.aip.886186
PETA: Methodology of Information Systems Security Penetration Testing
- Department of Systems Analysis, Faculty of Informatics and Statistics, University of Economics, Prague, W. Churchill Sq. 4, 130 67 Prague 3, Czech Republic
Current methodologies of information systems penetration testing focuses mainly on a high level and technical description of the testing process. Unfortunately, there is no methodology focused primarily on the management of these tests. It often results in a situation when the tests are badly planned, managed and the vulnerabilities found are unsystematically remediated. The goal of this article is to present new methodology called PETA which is focused mainly on the management of penetration tests. Development of this methodology was based on the comparative analysis of current methodologies. New methodology incorporates current best practices of IT governance and project management represented by COBIT and PRINCE2 principles. Presented methodology has been quantitatively evaluated.
Keywords: IT security, Penetration testing, Methodology, IT security audit
Received: March 24, 2016; Revised: October 16, 2016; Accepted: October 22, 2016; Published: December 31, 2016 Show citation
References
- Alharbi, M. (2010). Writing a Penetration Testing Report. SANS Institute. Retrieved from: http://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343
- Artzi, S., Kiezun, A., & Dolby, J. (2010). Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking. IEEE Transactions on Software Engineering, 36(4), 474-494. doi: 10.1109/TSE.2010.31
Go to original source...
- Bau, J., Butsztein, E., Gupta, D., & Mitchell, J. (2010). State of the Art: Automated Black-Box Web Application Vulnerability Testing. In Proceedings of the IEEE Symposium on Security and Privacy, (pp. 332-345). New York: IEEE. doi: 10.1109/SP.2010.27
Go to original source...
- Beznosov, K., & Kruchten, P., Yu, H. (2004). Towards agile security assurance. In Proceedings of the workshop on new security paradigms. New York: ACM Press. doi: 10.1145/1065907.1066034
Go to original source...
- Botenau, D. (2011). Penetration Testing: Hacking Made Ethical to Test System Security. Canadian Manager, 36(3), 10-11.
- BSI (2008). A penetration testing model. Federal office for information security. Retrieved from: https://www.bsi.bund.de/EN/Publications/publications_node.html
- Cache, J., & Liu, V. (2007) Hacking exposed wireless: wireless security secrets & solutions. New York: McGraw-Hill.
- CheckPoint (2013). Check Point 2013 security report. Retrieved from: https://www.checkpoint.com/security-report/
- CREST (2014a). CBEST Implementation Guide. Retrieved from: http://www.crest-approved.org/wp-content/uploads/CBEST-Implementation-Guide.pdf
- CREST (2014b). An introduction to CBEST. Retrieved from: http://www.crest-approved.org/wp-content/uploads/CBEST-OVERVIEW.pdf
- Davis, M., & Bodmer, S. (2010). Hacking exposed malware & rootkits: malware & rootkits security secrets & solutions. New York: McGraw-Hill.
- Dimov, T. (2009). Two methodologies for physical penetration testing using social engineering. Technical Report TR-CTIT-09-48. Enschede: Centre for Telematics and Information Technology University of Twente.
- Doucek, P., Novák, L., Nedomová, L., & Svatá, V. (2011). Řízení bezpečnosti informací. Praha: Professional Publishing.
- EC-COUNCIL (2011). Ethical hacking and countermeasures v7.1.
- Farmer, D. & Venema, W. (1993). Improving the Security of Your Site by Breaking Into it. Retrieved from: http://www.fish2.com/security/admin-guide-to-cracking.html
- Fruhwirt, C., & Mannisto, T. (2009). Improving CVSS-based vulnerability prioritization and response with context information. In Proceedings of the 3rd International Symposium on Empirical Software Engineering and Measurement, (pp. 535-544). New York: IEEE. doi: 10.1109/ESEM.2009.5314230
Go to original source...
- Hatch, B. (2008). Hacking exposed Linux: Linux security secrets & solutions. 3rd ed. New York: McGraw-Hill.
- Herzog, P. (2006). Open-Source Security Testing Methodology Manual. Catalonia: ISECOM.
- Hussain, A. (2003). A Framework for Classifying Denial of Service. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, (pp. 99-110). New York: ACM. doi: 10.1145/863955.863968
Go to original source...
- Information security forum (2007). The standard of good practice for information security. London: Information security forum.
- ISACA (2004). IS Auditing procedure: Security assessment - penetration testing and vulnerability analysis. Rolling Meadows: ISACA.
- ITGI (2007). Cobit 4.1. Rolling Meadows: IT Governance Institute.
Go to original source...
- ITGI (2008). Aligning CobiT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit. Rolling Meadows: IT Governance Institute.
- ITGI (2012). Cobit 5. Rolling Meadows: IT Governance Institute.
- Klíma, T. (2010). Wireless networks security assessment. Master's thesis. Prague: University of Economics, Prague.
- Klíma, T. (2014). Využití metodiky COBIT 4.1 při penetračním testování bezpečnosti IS. In Sborník prací vědeckého semináře doktorského studia FIS VŠE, (pp. 43-49). Praha: Oeconomica.
- Klíma, T. (2015a) Projektové řízení penetračních testů IS. In Sborník prací vědeckého semináře doktorského studia FIS VŠE, (pp. 41-48). Praha: Oeconomica.
- Klíma, T. (2015b). Management of information systems penetration tests [presentation]. IT in Central Banks Forum. Serbia.
- Klíma, T., & Tománek, M. (2015). Project Management of Complex Penetration Tests. In: Proceedings of the 14th European Conference on Cyber Warfare and Security ECCWS-2015, (pp. 383-388). Reading: ACPI.
- Koster, J. (2012). In-house Penetration Testing for PCI DSS. Retrieved from: http://www.sans.org/reading-room/whitepapers/compliance/in-house-penetration-testing-pci-dss-33930
- Long, J. (2005). Google hacking. Brno: Zoner Press.
- Mahmood, M., Siponen, M., Straub, D., Rao, R. H., & Raghu, T. S. (2010). Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue. MIS Quarterly, 34(3), 431-433.
Go to original source...
- Manjak, M. (2006). Social Engineering Your Employees to Information Security. SANS Institute. Retrieved from: http://www.sans.org/reading-room/whitepapers/engineering/social-engineering-employees-information-security-1686
- Mirkovic, J., & Reiher, P. (2010). A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. ACM SIGCOMM Computer Communication Review, 34(2), 39-53. doi: 10.1145/997150.997156
Go to original source...
- NIST (2008). Technical Guide to Information Security Testing and Assessment: NIST Special Publication 800-115. Gaithersburg: National Institute of Standards and Technology.
- NIST (2013). Security and Privacy Controls for Federal Information Systems and Organizations: NIST Special Publication 800 - 53. Gaithersburg: National Institute of Standards and Technology. Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
- Northcutt, S. (2006) Penetration Testing: Assessing Your Overall Security Before Attackers Do. SANS Institute. Retrieved from: https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635
- Office of Government Commerce (2009) Managing successful projects with Prince2. 5th ed. London: TSO.
- OISSG (2006). Information systems security assessment framework. Open information systems security group.
- OWASP (2014). OWASP testing guide 4.0. Retrieved from: https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
- PCI Security standards council (2008). PCI DSS: Information Supplement: Requirement 11.3 Penetration Testing.
- Pereira, T. & Santos, H. (2010). A Conceptual Model Approach to Manage and Audit Information Systems Security. In Proceedings of the 9th European Conference on Information Warfare and Security, (pp. 360-365). Reading: ACPI.
- PTES (2015). Penetration Testing Execution Standard. Retrieved from: http://http://www.pentest-standard.org/
- Rios, B. (2009). Sun Tzu was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack. Retrieved from: https://ccdcoe.org/publications/virtualbattlefield/10_RIOS_Sun_Tzu_was_a_hacker.pdf
- SANS (2010). Penetration testing in the financial services industry. SANS Institute. Retrieved from: https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-financial-services-industry-33314
- SANS (2014). The Critical Security Controls for Effective Cyber Defense. SANS Institute. Retrieved from: https://www.sans.org/media/critical-security-controls/CSC-5.pdf
- Saran, C. (2004) Companies fail to fix system flaws uncovered by penetration testing. Computer Weekly. Retrieved from: http://www.computerweekly.com/news/2240056864/Companies-fail-to-fix-system-flaws-uncovered-by-penetration-testing
- Scambray, J., & McClure, S. (2008) Hacking exposed Windows: Windows security secrets & solutions. 3rd ed. New York: McGraw-Hill.
- McClure, S. (2009). Hacking exposed. New York: McGraw-Hill.
- McClure, S., Scambray, J., & Kurtz, G. (2012) Hacking exposed 7: network security secrets & solutions. New York: McGraw-Hill Education.
- Styles, M., & Trynofas, T. (2009). Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end-users. Information Management & Computer Security. 17(1), 44-52. doi: 10.1108/09685220910944759
Go to original source...
- Sommers, J., Yegneswaran, V., & Barford, P. (2004). A framework for malicious workload generation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement. New York: ACM Press. doi: 10.1145/1028788.1028799
Go to original source...
- Suduc, A., Bizoi, M., & Filip, F. (2010) Audit for Information Systems Security. Informatica Economica, 14(1), 43-48.
Go to original source...
- Swanson, M. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems: NIST Special Publication 800-14. NIST Institute. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Go to original source...
- Veenendaal, V. (2012). Test maturity model integration (TMMi). TMMI Foundation. Retrieved from: http://www.tmmi.org/?q=downloads
- Verizon (2013). Data breach investigations report. New York: Verizon.
- Verizon (2015). Data breach investigations report. New York: Verizon.
- Wai, C. (2002). Conducting a Penetration Test on an Organization. SANS Institute. Retrieved from: http://www.sans.org/reading-room/whitepapers/auditing/conducting-penetration-test-organization-67
This is an open access article distributed under the terms of the Creative Commons Attribution 4.0 International License (CC BY 4.0), which permits use, distribution, and reproduction in any medium, provided the original publication is properly cited. No use, distribution or reproduction is permitted which does not comply with these terms.