Data breaches result in significant financial losses for companies. According to IBM, the average damage from data breaches in 2020 amounted to $3.86 million. Half of these incidents were caused by cyber attacks.
Companies can prevent data breaches by performing penetration testing, because it includes attack simulation on top of other techniques. Penetration testing (pentest) lets businesses identify existing vulnerabilities in their IT infrastructure and assess potential damage that could be caused by an attack.
Professional penetration testers follow industry-approved methodologies and standards. The five most popular and well-regarded ones are the OSSTMM, the NIST SP800-115, the OWASP, the ISSAF, and the PTES. While any one of these is technically enough to conduct a pentest, veteran audit companies prefer to use several at once. The exact choice depends on the specifics of the company being audited, such as its business and information security processes.
Let’s take a closer look at each of the 5 methodologies and standards.
OSSTMM
The Open Source Security Testing Methodology Manual (OSSTMM) is one of the most popular testing standards. It was developed by the Institute for Security and Open Methodologies (ISECOM).
The OSSTMM offers a detailed testing plan, metrics for assessing the current security level, and recommendations for writing a final report. OSSTMM creators guarantee that any test performed according to the OSSTMM will be detailed and comprehensive, and its results will be measurable and fact-based.
The OSSTMM proposes five main channels, or directions, for testing operational security. Breaking it down into channels makes testing easier and lets testers assess the security level of a company in a more comprehensive manner.
Human security. The security aspect that deals with direct physical or psychological interactions between people.
Physical security. Any material (non-electronic) element of security that is operated physically or electromechanically.
Wireless communications. The security of all wireless communications and devices, from Wi-Fi to infrared sensors.
Telecommunications. Analog and/or digital telecommunications. This channel mostly concerns telephony and the transmission of internal information over telephone lines.
Data networks. The security of internal and external corporate networks, Internet connections, and networking devices.
The OSSTMM is a universal standard, meaning it can provide a basis for performing any penetration test. Testers can rely on OSSTMM guidelines when tailoring the security assessment process to a specific client, so that its business processes as well as technology and industry specifics are taken into account.
NIST SP800-115
NIST Special Publications 800 Series is an information security standard developed by the National Institute of Standards and Technology. The SP 800-115 special publication describes the general penetration testing procedure and the technical aspects of assessing the information security level of a company. It also provides recommendations for analyzing the test results and developing measures to reduce security risks. The latest version of this document focuses specifically on reducing cyber attack risks.
The NIST SP800-115 is a technical guide that can be used for assessing information security in companies in different industries, including finance and IT. Using this pentest methodology is considered mandatory by professional auditing companies.
The NIST SP800-115 includes, among other things:
- inspection methods — reviewing documentation, logs, rulesets, and system configurations, sniffing the network, checking file integrity;
- methods for assessing routinely targeted vulnerabilities — password cracking, social engineering, pentests;
- organizing the security assessment itself — coordinating, data processing, analysis and evaluation;
- actions to take after the assessment is complete — recommendations for reducing risks, creating the assessment report, fixing vulnerabilities.
OWASP
The Open Web Application Security Project (OWASP) is an open online community that offers the most exhaustive methodology for testing applications, websites, and APIs. OWASP documentation is useful to any IT company that wants to develop secure software.
This documentation includes:
OWASP Top 10. A document that describes the most widespread vulnerabilities in web and mobile applications, IoT appliances, and APIs. The threats are ordered based on their complexity and impact on businesses.
OWASP Testing Guide. A resource that contains various techniques for testing web application security. Also includes real-life examples.
OWASP Developer Guide. A guide that provides recommendations for developing secure and reliable code.
OWASP Code Review. A guide that can be used by web developers and product managers. It offers effective methods for testing existing code security.
One of the major advantages of the OWASP is that it describes testing at each stage of the software development life cycle: requirement definition, design, development, deployment, and maintenance. On top of that, the OWASP methodology covers not only applications, but also technologies, processes, and human resources.
Another major advantage is that the OWASP can be used by both web developers and pentesters.
The OWASP community also created OWASP ZAP — a cross-platform tool for automated testing, somewhat similar to Burp Suite.
ISSAF
The Information System Security Assessment Framework (ISSAF) was created by the Open Information Systems Security Group (OISSG), and covers many aspects of information security. In particular, it provides detailed recommendations for penetration testing: it describes the appropriate tools and how to use them, as well as what results testers can expect under various circumstances.
The ISSAF is considered a complex and thorough methodology that can be adapted for assessing information security in any organization. Each ISSAF testing stage is carefully documented. This resource also contains recommendations for how to use specific tools at each stage.
The ISSAF methodology suggests following a strict sequence of steps when simulating an attack:
- gathering information;
- mapping the network;
- identifying vulnerabilities;
- penetrating;
- getting basic access privileges, and then elevating them;
- maintaining access;
- compromising remote users and remote sites;
- hiding the tester’s digital footprints.
PTES
The Penetration Testing Execution Standard (PTES) offers recommendations for performing a basic pentest, as well as several more advanced test variants for organizations with high information security requirements. One of the advantages of the PTES is that it gives detailed descriptions of the goals and expected results of the pentest .
The main stages of testing according to the PTES:
- Intelligence Gathering. The client organization provides the tester with general information on the targets within their IT infrastructure. The tester gathers additional information from public sources.
- Threat modeling. Key areas and attack vectors are defined based on business processes and critical IT infrastructure elements.
- Vulnerability analysis. The tester identifies and evaluates vulnerability-related risks. They also analyze all the vulnerabilities that attackers can leverage.
- Exploitation. The tester tries to exploit found vulnerabilities and to take over information system elements, imitating the actions of an attacker.
- Reporting. The client organization receives a report that contains thoroughly documented pentest results, with information on found vulnerabilities, how critical they are for the business, and recommendations for fixing them.
The PTES also includes a guide on performing follow-up, or post-exploitation, testing. It helps the company determine whether the found vulnerabilities were properly fixed.
Conclusion
Even when applying only one methodology, experienced testers strive to cover the whole range of potential threats to the client organization. They also take the technical, organizational, and legal risks to the client into account: a tester won’t do anything that might actually have a negative impact on the company. Unlike an attacker, a tester is much more restrained when it comes to the effect of their actions on the client company’s infrastructure.
Finding and fixing vulnerabilities as quickly as possible is a top priority for every business. Among other things, it helps reduce the amount of material damage that can occur if an attacker does actually manage to exploit a vulnerability. This is why simulating a cyber attack by performing a pentest is like a war game: it helps companies always stay on guard.