Abstract

Current methodologies of information systems penetration testing focuses mainly on a high level and technical description of the testing process. Unfortunately, there is no methodology focused primarily on the management of these tests. It often results in a situation when the tests are badly planned, managed and the vulnerabilities found are unsystematically remediated. The goal of this article is to present new methodology called PETA which is focused mainly on the management of penetration tests. Development of this methodology was based on the comparative analysis of current methodologies. New methodology incorporates current best practices of IT governance and project management represented by COBIT and PRINCE2 principles. Presented methodology has been quantitatively evaluated.

Highlights

  • In the recent years, we could see many high profile companies such as RSA, Global Payments, Heartland Payment Systems, Sony or LinkedIn to incur a data breach with the significant financial loss (Verizon, 2013; Verizon, 2015; CheckPoint, 2013)

  • These tests are usually conducted by an external company, but larger organizations have in-house teams that are responsible for testing the security of IT infrastructure and information systems

  • In order to understand the role of penetration tests, the reader should be familiar with the model below (Figure 1), which presents a comparison of three basic types of IS security assessment

Read more

Summary

Introduction

We could see many high profile companies such as RSA, Global Payments, Heartland Payment Systems, Sony or LinkedIn to incur a data breach with the significant financial loss (Verizon, 2013; Verizon, 2015; CheckPoint, 2013). As the current controls seem to be unable to really prevent the security incidents, the IT managers pay more and more attention to the offensive security techniques These techniques closely mimic the attackers (and emulate the threats) in order to identify as many vulnerabilities of target system as possible. Exact definition according to the NIST (2008) is “Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network.”. These tests are usually conducted by an external company, but larger organizations have in-house teams (red teams) that are responsible for testing the security of IT infrastructure and information systems. In order to understand the role of penetration tests, the reader should be familiar with the model below (Figure 1), which presents a comparison of three basic types of IS security assessment

Objectives
Methods
Results
Conclusion
Full Text
Paper version not known

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.