Penetration Testing Methodology

Our proven approach to Penetration Testing is based on industry best practice and project management standards and is crucial in performing a thorough and accurate assessment.

Explore More

Penetration Testing Methodology

A Penetration Testing methodology is the organisation and execution of an assessment – in basic terms it is the process of testing. Methodologies exist to identify security vulnerabilities. Vulnerabilities can be present on many different platforms, so different assessment types exist to assess the different environments. Assessment can range from, security audits, dynamic analysis, web application assessment, infrastructure assessment, cloud assessment and many more.

Methodology Breakdown

There are several methodologies used for penetrating testing. Here are the Top 3:

OSSTMM – Open Source Security Testing Methodology Manual

OSSTM is a recognised testing methodology, peer-reviewed by ISECOM – The Institute of Security and Open Methodologies that provide many different resources to the security industry.

OWASP – Open Web Application Security Project

Owasp is an open-source non-profit organisation focused on web application security, with thousands of members working to secure the web.

NIST – National Institute of Standards and Project

NIST provides frameworks and information intending to enhance economic security and improve quality of life focused on perseverance, integrity, inclusivity and excellence.

Our Penetration Testing Methodology

Our proven approach to Penetration Testing is based on industry best practices and project management standards. Our Penetration Testing methodology is broken down into six distinct phases:

Initial Scoping, Reconnaissance, Assessment, Reporting, Presentation 
and Remediation.

Pentest People believe that these six steps are crucial in performing a thorough and accurate assessment, providing value for the client and ultimately improving the security of the target network. This methodology is cyclical in that the results of the assessment are presented to the client, and provided as a report.

Our Six-Step Penetration Testing Methodology

This methodology is cyclical in that the results of the Penetration Testing assessment are presented to the client, and provided as a report, feedback into the scope of additional tests. As security is a process rather than a solution, this methodology is designed to work alongside the ongoing process.

The 6 steps are broad categories and can generally be applied to multiple types of infrastructure assessment, regardless of whether it is internal, external or some other combination.

To find out more about our Penetration Testing services, click here.

The Reconnaissance step will utilise both Passive and Active Information Gathering. Our consultants will utilise public domain information to collect information about your organisation and the network. Search engines will be interrogated as well as public records to try to collect information, which will help in the assessment of the target network. In the case of an internal assessment, passive information gathering will also include sniffing wired and wireless networks in an attempt to collect network protocol information, addressing details, and user credentials. Information discovered during the passive information-gathering phase is used to start probing the network map the network and identify the active hosts. Once the active hosts are identified, further probes are used to detect any open ports together with what services they are running, before using fingerprinting techniques to identify the operating system running on the host.

The assessment phase aims to check known vulnerabilities against the operating systems and services that have been identified as present in the network. Any medium level vulnerabilities and higher that are identified are manually confirmed, preventing false positives being reported. Attempts are also made to exploit common operating system vulnerabilities to check the level of privileged access that can be achieved. It is important to note that Pentest People will not carry out any checks, which are considered by the tools that are used to be ‘unsafe’. This also includes any Denial of Service DoS attacks. These service affecting checks are disabled by default in all the tools that we use but they can be can be included by request. For services that require username and password authentication, our consultants will attempt to access these resources both with the default password, and also commonly used username and password combinations. In practical terms the assessment phase typically comprises of an internal, ‘White Box’ and ‘Black Box’ tests.

At the end of the discovery and assessment phase clients are presented with an executive summary as well as a more detailed report. The summary lists the key findings along with the top ten recommendations for remedial action. A table of hosts is provided together with the total number of vulnerabilities identified at each severity level. The full assessment report goes into greater detail for each host including the open ports identified, services available on those ports, identified vulnerabilities and remediation advice. Separate sections are included for any additional advanced assessments that were carried out and cross-referenced where applicable to the host assessment data.

Once the executive summary and full assessment report are created they are uploaded to the secure document area of the Pentest People SecurePortal for review prior to scheduling a de-brief call or if required a face to face meeting. The de-brief call or meeting is an opportunity for you to discuss any major issues arising from the assessment with the lead consultant who will formally present the findings of the report.

Finally, Pentest People can offer an additional Remediation Consultancy Service as part of their PTaaS offering. This service offering completes the Penetration Testing process by providing a prioritised approach to remediating any security issues identified as part of the engagement. This remediation service is a two-stage process. The initial phase involves one of our specialised consultants reviewing the findings of the Penetration Test report and aligning this with your business requirements to create a prioritised approach document that contains remediation advice for all of the identified issues ranked in order of risk. Once this report is created, it is provided and can then be implemented either by your own internal IT staff, your incumbent IT provider or Pentest People as part of the engagement, therefore, taking away the time pressures of ensuring your infrastructure is secure and free from security issues.