Modern methods of pentest

In modern conditions of crisis, competing companies use various methods that are aimed to destabilize the functioning of one or another organization. Only by building an accurate comprehensive system of information network security you can counteract such threats.

The procedure for studying and identifying various vulnerabilities in the field of cybersecurity of the organization by modeling the actions of intruders who aim to hack and penetrate the company’s IT infrastructure and services is called the penetration testing (pentest).

Popular techniques of performing a pentest

A pentest includes a specific set of rules, procedures, technologies, and recommendations. When conducting penetration testing, Professional pentesters use international methods that have been adopted in the field of information security, as follows:

• The Open Source Security Testing Methodology Manual (OSSTMM);
• Information System Security Assessment Framework (ISSAF);
• Penetration Testing Execution Standard (PTES);
• NIST Special Publication 800-115 (NIST SP800-115);
• Open Web Application Security Project Testing Guide (OWASP);
• A Penetration Testing Model (BSI);
• Payment Card Industry Data Security Standard (PCI DSS).

Let’s take a closer look at the main methods of assessing the security of information systems.

Pentest performed with the help of the OSSTMM method

OSSTMM is a universal basic standard for penetration testing, through which it is possible to make a clear plan, a scale for evaluating the level of security. Using the Open Source Security Testing Methodology Manual, a pentester is able to assess individually the level of security, taking into account both the industry specifications and technological characteristics of the company. The OSSTMM methodology offers several basic directions for a pentest, as follows:

• human security;
• wireless connection;
• telecommunications;
• data transmission networks.

The test which was performed by using the above mentioned method will be detailed and integrated, and its results will be based on facts.

ISSAF method

ISSAF is one of the most complex, but at the same time the most popular methodologies, which clearly indicates the recommendations for conducting a pentest, describes the utilities and options for their usage in detail, along with the obtained results. While using the Information System Security Assessment Framework methodology, all testing processes are documented.

The Information System Security Assessment Framework method can be adapted for performing a comprehensive information security check of different companies.

PTEST method for assessing the security of information systems

The Penetration Testing Execution Standard methodology contains recommendations for performing a basic pentest, as well as several advanced options for conducting a testing mechanism for the companies that have high requirements for information security. One of the main advantages of the PTES method, in comparison with other approaches, is its ability to define thoroughly the goals, tasks, and expectations of conducting the pentest. In addition, the Penetration Testing Execution Standard has a guidance for performing re-testing, which helps to determine the effectiveness of covering detected vulnerabilities.

The main stages of the PTES method include:

• scanning;
• threat modeling;
• the analysis of vulnerabilities;
• exploiting the vulnerability;
• preparation of the report.

NIST SP800-115

One of the main methods used to check the level of information security of companies is NIST Special Publication 800-115. It describes:

• methods for checking target vulnerabilities;
• safety assessment;
• actions to be conducted, based on the results of testing;
• methods of scanning.

Certified specialists of RoundSec company will conduct independent expert testing of the customer’s IT infrastructure and services for penetration. They will provide a detailed report together with various recommendations on security issues.

Share on social media