Skip to content

Week 2: The Pentest Process

This week we are going to take a look at:

  • How can we measure security ?
  • A generic pen-test process
  • How we can classify the vulnerabilities we find.

Measuring Security?

For the first topic this week we look at measuring security. How can we tell if a site or service is secure1, what procedures can we put in place to measure and assess security?

We will look at three different ways that are used to try to place a value on the security of the system, and examine the strengths and weaknesses of each.

  • Systems Audit
  • Vulnerability Scanning
  • Penetration Testing.

The Pentest Process

We will also look at a generalised pentest process. This helps us to understand the pentest in general, and introduces some of the topics that we will cover later in the module.

Standardised processes and methodologies help us to structure our tasks, and help get a coherent result. The processes could be as simple as following a recipe to cook food, right through to the process used to prep the space shuttle for launch.

When it comes to security assessment, following a standardised pen-test process helps us to get an accurate result from the audit. By following a set of stages in the test, we can build our knowledge of the system, identify possible attack vectors, and (hopefully), complete a successful test. More importantly, following a set of stages in the test can help others replicate any exploits, allowing them to independently confirm issues.

Note

While we might be able to get away with taking a Leeroy Jenkins approach with a simple or limited system, applying some structure to the steps we follow, even for a simple CTF is gonna make our lives easier.

Organisations may have their own take on the pen-test process. For example the process followed at Nettitude, may differ slightly from that at the NCC group. However, while what happens at each state of the process may differ, the overall approach will be the same.

Classifying Vulnerabilities

Once we have identified vulnerabilities, we need some way of classifying them.
This allows the developers to prioritise fixes, and management to allocate sufficient2 resources to deal with the problem. For the second topic this week we will look at common methods of categorising issues.

  1. Given that the only secure computer system is Deep in a Government bunker, guarded by the SAS and switched off, it might be better to measure a "level of insecurity". 

  2. For a given value of sufficient, which usually differs between the gods of accounting, and the people on the ground.