CHAPTER 6 - Methodologies

Abstract

This chapter deals with the theoretical aspects of how to conduct a penetration test. Understanding the theory behind the methodology improves the chances of successfully completing a penetration test project. The chapter describes three different methodologies, and their application in penetration testing. The Project Management Body of Knowledge (PMBOK) is useful in conducting any project but is written at a high level, and probably, the least of the three methodologies geared toward penetration testing specifically. The PMBOK breaks out the project life cycle into five different groups: Initiating Processes, Planning Processes, Executing Processes, Closing Processes, and Monitoring and Controlling Processes. Supported by the Open Information Systems Security Group (OISSG), the ISSAF is a peer-reviewed process that provides in-depth information about how to conduct a penetration test. One of the advantages of the Information System Security Assessment Framework (ISSAF) is that it creates a distinct connection between tasks within a penetration test and PenTest tools. The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology to perform penetration tests, it is foremost an auditing methodology that can satisfy regulatory and industry requirements when used against corporate assets. There are four different “channels” that can benefit from penetration testing: physical security, wireless communications, telecommunications, and data networks. There are four phases within any penetration test: Regulatory, Definitions, Information, and Interactive Controls Test. The OSSTMM does not suggest any tools to be used in a penetration test—it is assumed the engineer will have the necessary knowledge to satisfy the module requirements.