Sorry, this entry is only available in Italian.
Penetration Test: IambOO’s method
IambOO’s services cover a wide variety of needs, from IT security to mobile solutions. IambOO is able to underline the weaknesses within your IT infrastructure, by evaluating the real security level of your IT system from external attacks and/or internal problems.
We already mentioned our Vulnerability assessment’s service, namely an analysis that includes every asset in order to detect and define the risk level regarding each of every known vulnerability; from this, IambOO will help its customers to plan the right strategies of risk’s mitigation.
Here and now, we want to deepen our own method which is based on 4 technology standards:
OSSTMM – Institute for Security and Open Methodologies’ handbook.
OWASP – The independent organization whose main aim is to create and spread a “security web apps’ culture”.
NIST – The Institute of USA’s Trade’s Ministry, which oversees standard and technologies.
PTES – Penetration Testing Execution Standard’s methodology.
The Open Source Security Testing Methodology Manual, better known as OSSTMM is the Manual that describes an acknowledged technology internationally for the planning & execution of security tests. It’s an open source venture regarding a project which is continuously up-to-date that receives contributions from different authorities and professionals.
Those contributions are generally given trying to follow all the different laws regarding security in effect in the advanced countries, respecting as much as possible the terms regarding privacy and personal infos.
The handbook refers to six operative macro areas, that represent the ICT Universe in a complete way of every company or public administration.
Those areas are:
- Information Security;
- Process Security;
- Internet Technology security;
- Communication Security;
- Wireless Security;
- Physical Security.
These various intervention areas refer to the different professionalisms needed, such as Security Analyst, Security Expert, Security Tester and Wireless Security Analyst.
The Open Web Application Security Project (OWASP) is an open community with the aim at allowing the organizations to develop, sell and maintain applications that are to be labelled as safe. All the OWASP instruments, documents, forums and chapters are open and free to anyone who Is interested in bettering the application security. OWASP gives some guide lines to security as a technological problem, of people and processes.
The organization wrote many documents that allow our developer to follow some guide lines in a lot of projects.
The Testing Guide, for example (whose Project Lead is Italian Matteo Meucci), is crucial, but there are also some easy check lists (such as the following one) that allow us to keep in mind the security level that must be reached:
- Data validation;
- Session management;
- Error Management;
- Security Configuration;
- Network Topography.
The National Institute of Standards and Technology is the Institute of USA’s Trade’s Ministry that oversees standard and technologies. Our main concern regarding this Institute is the SP 800-115.
It’s a guide that gives some tips regarding some of the main technical aspects of the conduction of info’ security’s evaluations. It presents some technical tests, exams’ techniques and methods that we use as part of the complete evaluation on security and it offers some detailed studies regarding the possible impact that our activities can have on systems and networks.
The processes and the technical guide presented by this guide allow us to:
- Develop info’s security’s evaluation policy, the methodology, roles and personal responsibilities concerning the technical aspects of the evaluation;
- Precisely plan an evaluation on the security of technical infos, thus giving a guide to determine which systems need to be evaluated and the right approach to the evaluation, to face logistic evaluations;
- Develop an evaluation plan and to grant that some political and legal aspects are thrown in the mix;
- Carry out safely and precisely a safety’s evaluation of the technical infos by using the presented methods and techniques and to be accountable for problems that may occur while carrying out the evaluation;
- Appropriately manage the technical data (collection, storage, transmission and elimination) while carrying out the evaluation;
- Conduct the analysis and reporting in order to translate the technical results into action of risk’s mitigation that will better the security attitude of the organization.
It’s about a standard created by a group of consultants that described an extremely useful generic methodology. The PTES methodology consists of 7 main sections and it covers everything concerning penetration testing: from the initial communication and the reasoning that needs to be behind a pentest, trough the info’s collection and the threats shaping phases in which testers work behind the scenes in order to obtain a better understanding of the examined organization, through vulnerabilities research, where the technical knowledges combines with an understanding of the commitment business, and in the end we have the reporting phase, that describes the entire process in a way that is understandable to the customer.
In conclusion, it’s important to explain that all the methods and standards that IambOO follows are similar yet different in some ways.
IambOO, when facing a new project, decides to correctly combine them since Penetration Testing - by nature - is an iterative process and it doesn't have a linear trend.