Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Advanced Infrastructure Penetration Testing

You're reading from   Advanced Infrastructure Penetration Testing Defend your systems from methodized and proficient attackers

Arrow left icon
Product type Paperback
Published in Feb 2018
Publisher Packt
ISBN-13 9781788624480
Length 396 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Chiheb Chebbi Chiheb Chebbi
Author Profile Icon Chiheb Chebbi
Chiheb Chebbi
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Introduction to Advanced Infrastructure Penetration Testing FREE CHAPTER 2. Advanced Linux Exploitation 3. Corporate Network and Database Exploitation 4. Active Directory Exploitation 5. Docker Exploitation 6. Exploiting Git and Continuous Integration Servers 7. Metasploit and PowerShell for Post-Exploitation 8. VLAN Exploitation 9. VoIP Exploitation 10. Insecure VPN Exploitation 11. Routing and Router Vulnerabilities 12. Internet of Things Exploitation 13. Other Books You May Enjoy

Pentesting standards and guidance

Before diving deep into pentesting standards and guidelines, we need to define some important terminology to avoid any confusion or misconceptions about four different terms: policies, standards, procedures, and guidance. All these terms play important roles in information security management, but a clear understanding of the difference between them is essential to avoid using them in the wrong way.

Policies

Policies are written documents by high-management level members that specify the responsibilities and required behavior of every individual in an organization. In general, policies are short and don't specify technical aspects, such as operating systems and vendors. If the organization is large, policies could be divided into subpolicies. One of the well-known information security policies is the COBIT 5 Information Security Policy set, as shown here:

Standards

Standards are a low-level description of how the organization will enforce the policy. In other words, they are used to maintain a minimum level of effective cybersecurity. They are also mandatory.

Procedures

Procedures are detailed documents that describe every step required in specific tasks, such as creating a new user or password reset. Every step is mandatory. These procedures must align with the organization's policies.

Guidance

Guidance or guidelines are a set of recommended tips and useful pieces of advice from hands-on experienced people and institutions. There are many standards and guidelines followed by penetration testers. The following are some of the well-known ones, with the required steps for every standard or guideline.

Open Source Security Testing Methodology Manual

The Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive document released by Pete Herzog and distributed by the Institute for Security and Open Methodologies (ISECOM). According to OSSTMM, every penetration testing should include security testing of information, processes, internet technology (port scanning, firewalls, and so on), communications, wireless, and physical environment.

Information Systems Security Assessment Framework

The Information Systems Security Assessment Framework (ISSAF) is a methodology where the penetration tester imitates the hacking steps with some additional phases. It goes through the following phases:

  • Information gathering
  • Network mapping
  • Vulnerability identification
  • Penetration
  • Gaining access and privilege escalation
  • Enumerating further
  • Compromising remote users/sites
  • Maintaining access
  • Covering the tracks

Penetration Testing Execution Standard

The Penetration Testing Execution Standard (PTES) is a set of technical sections. It helps the penetration tester to deliver an effective pentesting report by walking through the following seven sections:

  • Pre-engagement interactions
  • Intelligence gathering
  • Threat modeling
  • Vulnerability analysis
  • Exploitation
  • Post-exploitation
  • Reporting

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is an important reference for organizations that are planning to work with major brand credit cards'. It was released in 2014. It is used to assure the security of credit card holders' data and avoid frauds. The compliance is performed once per year by a qualified security assessor, who is provided by the PCI Security Standards Council or internally for small data amount cases. PCI DSS goes through the following four phases:

  • Pre-engagement
  • Engagement: penetration testing
  • Post-engagement
  • Reporting and documentation
You have been reading a chapter from
Advanced Infrastructure Penetration Testing
Published in: Feb 2018
Publisher: Packt
ISBN-13: 9781788624480
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime