Pentesting Fundamentals
General Stages
- Information Gatering
- collecting as much publically accessible information
- OSINT
- Note: does not involve scanning system
- Enumeration / Scanning
- discovering applications and services on a system
- Exploitation
- leveraging vulnerabilities on system or application
- can involve use of public exploits or exploiting application logic
- Privilege Escalation
- expand access to system
- vertically: user of another permission group
- horizontally: other users of same permission group
- Post-exploitation
- targeting of other hosts
- gathering of additional info
- covering tracks
- reporting
OSSTMM - The Open Source Security Testing Methodology Manual
detailed framework of testing strategies for systems, software, applications, communications and human aspect
| pro | contra |
|---|---|
| covers various testing strategies in-depth | difficult to understand, very detailed, tends to use unique definitions |
| includes testing strategies for specific targets | |
| framework is flexible depending on organisations needs | |
| meant to set a standard for systems and applications, universal methodology can be used |
OWASP - Open Web Application Security Project
community driven framework with frequent updates, used solely for testing security of applications and services
| pro | contra |
|---|---|
| Easy to pick up and understand. | It may not be clear what type of vulnerability a web application has (they can often overlap). |
| Actively maintained and is frequently updated. | OWASP does not make suggestions to any specific software development life cycles. |
| It covers all stages of an engagement: from testing to reporting and remediation. | The framework doesn’t hold any accreditation such as CHECK. |
| Specialises in web applications and services. |
NIST Cybersecurity Framework 1.1
popular framework used to improve organisations cybersecurity standards and mange risk of cyber threats. provides guidelines on security controls and benchmarks for success
| pro | contra |
|---|---|
| The NIST Framework is estimated to be used by 50% of American organisations by 2020. | NIST has many iterations of frameworks, so it may be difficult to decide which one applies to your organisation. |
| The framework is extremely detailed in setting standards to help organisations mitigate the threat posed by cyber threats. | The NIST framework has weak auditing policies, making it difficult to determine how a breach occurred. |
| The framework is very frequently updated. | The framework does not consider cloud computing, which is quickly becoming increasingly popular for organisations. |
| NIST provides accreditation for organisations that use this framework. | |
| The NIST framework is designed to be implemented alongside other frameworks. |
NCSC CAF - Nation Cyber Security Centre Cyber Assessment Framework
extensive framework of fourteen principles used to assess risk of various cyber threats and organisations defence against these
| pro | contra |
|---|---|
| This framework is backed by a government cybersecurity agency. | The framework is still new in the industry, meaning that organisations haven’t had much time to make the necessary changes to be suitable for it. |
| This framework provides accreditation. | The framework is based on principles and ideas and isn’t as direct as having rules like some other frameworks. |
| This framework covers fourteen principles which range from security to response. |
Principles of Security
Principles of Privileges
- PAM
- Privileged Access Management
- management of the privileges a szstems access role has and more
- PIM
- Privileged Identity Management
- translate users role within organisation into access role on a system
Threat Modelling and Incident Response
- basic principles are
- preparation
- identification
- mitigation
- review
- to be more effective needs to be extended by
- threat intelligence
- asset identification
- mitigation capabilities
- risk assessment
Frameworks like STRIDE (Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of Service and Elevation of privileges) and PASTA (Process for Attack Simulation and Threat Analysis).
STRIDE
| principle | description |
|---|---|
| Spoofing | requires to authenticate requests and users accessing a system. involves maliciously falsely identifying as another |
| Tampering | providing anti tampering measures to a system or application. help by providing integrity of data. data that is accessed must be kept internal and accurate |
| Repudiation | dictates use of services, logging of activity for a system |
| Information Disclosure | services that handle information of multiple users only need to show data to the owner of the data |
| Denial of Service | services that use up system resources, should have measures in place, so that abuse doesnt bring whole system down |
| Elevation of Privilege | worst case, user was able to escalate own authorisation to that of a higher level |