Acta Informatica Pragensia 2016, 5(2), 98-117 | DOI: 10.18267/j.aip.886249

PETA: Methodology of Information Systems Security Penetration Testing

Tomáš Klíma
Department of Systems Analysis, Faculty of Informatics and Statistics, University of Economics, Prague, W. Churchill Sq. 4, 130 67 Prague 3, Czech Republic

Current methodologies of information systems penetration testing focuses mainly on a high level and technical description of the testing process. Unfortunately, there is no methodology focused primarily on the management of these tests. It often results in a situation when the tests are badly planned, managed and the vulnerabilities found are unsystematically remediated. The goal of this article is to present new methodology called PETA which is focused mainly on the management of penetration tests. Development of this methodology was based on the comparative analysis of current methodologies. New methodology incorporates current best practices of IT governance and project management represented by COBIT and PRINCE2 principles. Presented methodology has been quantitatively evaluated.

Keywords: IT security, Penetration testing, Methodology, IT security audit

Received: March 24, 2016; Revised: October 16, 2016; Accepted: October 22, 2016; Published: December 31, 2016  Show citation

ACS AIP APA ASA Harvard Chicago Chicago Notes IEEE ISO690 MLA NLM Turabian Vancouver
Klíma, T. (2016). PETA: Methodology of Information Systems Security Penetration Testing. Acta Informatica Pragensia5(2), 98-117. doi: 10.18267/j.aip.88
Download citation
  • BibTeX (.bib)
  • Bookends (.ris)
  • EasyBib (.ris)
  • EndNote (.enw)
  • EndNote 8 (.xml)
  • ISI WoS (.isi)
  • Medlars (.medlars)
  • Mendeley (.ris)
  • MODS (.xml)
  • Papers (.ris)
  • RefWorks (.txt)
  • RefManager (.ris)
  • RIS (.ris)
  • MS Word (.xml)
  • Zotero (.ris)
    • Open full article

    References

    1. Alharbi, M. (2010). Writing a Penetration Testing Report. SANS Institute. Retrieved from: http://www.sans.org/reading-room/whitepapers/bestprac/writing-penetration-testing-report-33343
    2. Artzi, S., Kiezun, A., & Dolby, J. (2010). Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking. IEEE Transactions on Software Engineering, 36(4), 474-494. doi: 10.1109/TSE.2010.31 Go to original source...
    3. Bau, J., Butsztein, E., Gupta, D., & Mitchell, J. (2010). State of the Art: Automated Black-Box Web Application Vulnerability Testing. In Proceedings of the IEEE Symposium on Security and Privacy, (pp. 332-345). New York: IEEE. doi: 10.1109/SP.2010.27 Go to original source...
    4. Beznosov, K., & Kruchten, P., Yu, H. (2004). Towards agile security assurance. In Proceedings of the workshop on new security paradigms. New York: ACM Press. doi: 10.1145/1065907.1066034 Go to original source...
    5. Botenau, D. (2011). Penetration Testing: Hacking Made Ethical to Test System Security. Canadian Manager, 36(3), 10-11.
    6. BSI (2008). A penetration testing model. Federal office for information security. Retrieved from: https://www.bsi.bund.de/EN/Publications/publications_node.html
    7. Cache, J., & Liu, V. (2007) Hacking exposed wireless: wireless security secrets & solutions. New York: McGraw-Hill.
    8. CheckPoint (2013). Check Point 2013 security report. Retrieved from: https://www.checkpoint.com/security-report/
    9. CREST (2014a). CBEST Implementation Guide. Retrieved from: http://www.crest-approved.org/wp-content/uploads/CBEST-Implementation-Guide.pdf
    10. CREST (2014b). An introduction to CBEST. Retrieved from: http://www.crest-approved.org/wp-content/uploads/CBEST-OVERVIEW.pdf
    11. Davis, M., & Bodmer, S. (2010). Hacking exposed malware & rootkits: malware & rootkits security secrets & solutions. New York: McGraw-Hill.
    12. Dimov, T. (2009). Two methodologies for physical penetration testing using social engineering. Technical Report TR-CTIT-09-48. Enschede: Centre for Telematics and Information Technology University of Twente.
    13. Doucek, P., Novák, L., Nedomová, L., & Svatá, V. (2011). Řízení bezpečnosti informací. Praha: Professional Publishing.
    14. EC-COUNCIL (2011). Ethical hacking and countermeasures v7.1.
    15. Farmer, D. & Venema, W. (1993). Improving the Security of Your Site by Breaking Into it. Retrieved from: http://www.fish2.com/security/admin-guide-to-cracking.html
    16. Fruhwirt, C., & Mannisto, T. (2009). Improving CVSS-based vulnerability prioritization and response with context information. In Proceedings of the 3rd International Symposium on Empirical Software Engineering and Measurement, (pp. 535-544). New York: IEEE. doi: 10.1109/ESEM.2009.5314230 Go to original source...
    17. Hatch, B. (2008). Hacking exposed Linux: Linux security secrets & solutions. 3rd ed. New York: McGraw-Hill.
    18. Herzog, P. (2006). Open-Source Security Testing Methodology Manual. Catalonia: ISECOM.
    19. Hussain, A. (2003). A Framework for Classifying Denial of Service. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, (pp. 99-110). New York: ACM. doi: 10.1145/863955.863968 Go to original source...
    20. Information security forum (2007). The standard of good practice for information security. London: Information security forum.
    21. ISACA (2004). IS Auditing procedure: Security assessment - penetration testing and vulnerability analysis. Rolling Meadows: ISACA.
    22. ITGI (2007). Cobit 4.1. Rolling Meadows: IT Governance Institute. Go to original source...
    23. ITGI (2008). Aligning CobiT 4.1, ITIL V3 and ISO/IEC 27002 for Business Benefit. Rolling Meadows: IT Governance Institute.
    24. ITGI (2012). Cobit 5. Rolling Meadows: IT Governance Institute.
    25. Klíma, T. (2010). Wireless networks security assessment. Master's thesis. Prague: University of Economics, Prague.
    26. Klíma, T. (2014). Využití metodiky COBIT 4.1 při penetračním testování bezpečnosti IS. In Sborník prací vědeckého semináře doktorského studia FIS VŠE, (pp. 43-49). Praha: Oeconomica.
    27. Klíma, T. (2015a) Projektové řízení penetračních testů IS. In Sborník prací vědeckého semináře doktorského studia FIS VŠE, (pp. 41-48). Praha: Oeconomica.
    28. Klíma, T. (2015b). Management of information systems penetration tests [presentation]. IT in Central Banks Forum. Serbia.
    29. Klíma, T., & Tománek, M. (2015). Project Management of Complex Penetration Tests. In: Proceedings of the 14th European Conference on Cyber Warfare and Security ECCWS-2015, (pp. 383-388). Reading: ACPI.
    30. Koster, J. (2012). In-house Penetration Testing for PCI DSS. Retrieved from: http://www.sans.org/reading-room/whitepapers/compliance/in-house-penetration-testing-pci-dss-33930
    31. Long, J. (2005). Google hacking. Brno: Zoner Press.
    32. Mahmood, M., Siponen, M., Straub, D., Rao, R. H., & Raghu, T. S. (2010). Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue. MIS Quarterly, 34(3), 431-433. Go to original source...
    33. Manjak, M. (2006). Social Engineering Your Employees to Information Security. SANS Institute. Retrieved from: http://www.sans.org/reading-room/whitepapers/engineering/social-engineering-employees-information-security-1686
    34. Mirkovic, J., & Reiher, P. (2010). A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms. ACM SIGCOMM Computer Communication Review, 34(2), 39-53. doi: 10.1145/997150.997156 Go to original source...
    35. NIST (2008). Technical Guide to Information Security Testing and Assessment: NIST Special Publication 800-115. Gaithersburg: National Institute of Standards and Technology.
    36. NIST (2013). Security and Privacy Controls for Federal Information Systems and Organizations: NIST Special Publication 800 - 53. Gaithersburg: National Institute of Standards and Technology. Retrieved from: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
    37. Northcutt, S. (2006) Penetration Testing: Assessing Your Overall Security Before Attackers Do. SANS Institute. Retrieved from: https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635
    38. Office of Government Commerce (2009) Managing successful projects with Prince2. 5th ed. London: TSO.
    39. OISSG (2006). Information systems security assessment framework. Open information systems security group.
    40. OWASP (2014). OWASP testing guide 4.0. Retrieved from: https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
    41. PCI Security standards council (2008). PCI DSS: Information Supplement: Requirement 11.3 Penetration Testing.
    42. Pereira, T. & Santos, H. (2010). A Conceptual Model Approach to Manage and Audit Information Systems Security. In Proceedings of the 9th European Conference on Information Warfare and Security, (pp. 360-365). Reading: ACPI.
    43. PTES (2015). Penetration Testing Execution Standard. Retrieved from: http://http://www.pentest-standard.org/
    44. Rios, B. (2009). Sun Tzu was a Hacker: An Examination of the Tactics and Operations from a Real World Cyber Attack. Retrieved from: https://ccdcoe.org/publications/virtualbattlefield/10_RIOS_Sun_Tzu_was_a_hacker.pdf
    45. SANS (2010). Penetration testing in the financial services industry. SANS Institute. Retrieved from: https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-financial-services-industry-33314
    46. SANS (2014). The Critical Security Controls for Effective Cyber Defense. SANS Institute. Retrieved from: https://www.sans.org/media/critical-security-controls/CSC-5.pdf
    47. Saran, C. (2004) Companies fail to fix system flaws uncovered by penetration testing. Computer Weekly. Retrieved from: http://www.computerweekly.com/news/2240056864/Companies-fail-to-fix-system-flaws-uncovered-by-penetration-testing
    48. Scambray, J., & McClure, S. (2008) Hacking exposed Windows: Windows security secrets & solutions. 3rd ed. New York: McGraw-Hill.
    49. McClure, S. (2009). Hacking exposed. New York: McGraw-Hill.
    50. McClure, S., Scambray, J., & Kurtz, G. (2012) Hacking exposed 7: network security secrets & solutions. New York: McGraw-Hill Education.
    51. Styles, M., & Trynofas, T. (2009). Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end-users. Information Management & Computer Security. 17(1), 44-52. doi: 10.1108/09685220910944759 Go to original source...
    52. Sommers, J., Yegneswaran, V., & Barford, P. (2004). A framework for malicious workload generation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement. New York: ACM Press. doi: 10.1145/1028788.1028799 Go to original source...
    53. Suduc, A., Bizoi, M., & Filip, F. (2010) Audit for Information Systems Security. Informatica Economica, 14(1), 43-48. Go to original source...
    54. Swanson, M. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems: NIST Special Publication 800-14. NIST Institute. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf Go to original source...
    55. Veenendaal, V. (2012). Test maturity model integration (TMMi). TMMI Foundation. Retrieved from: http://www.tmmi.org/?q=downloads
    56. Verizon (2013). Data breach investigations report. New York: Verizon.
    57. Verizon (2015). Data breach investigations report. New York: Verizon.
    58. Wai, C. (2002). Conducting a Penetration Test on an Organization. SANS Institute. Retrieved from: http://www.sans.org/reading-room/whitepapers/auditing/conducting-penetration-test-organization-67

    This is an open access article distributed under the terms of the Creative Commons Attribution 4.0 International License (CC BY 4.0), which permits use, distribution, and reproduction in any medium, provided the original publication is properly cited. No use, distribution or reproduction is permitted which does not comply with these terms.


    Return to the content