PENTESTINg PRINCIPLES and FRAMEWORKS

hacking for the greater good

There are a lot of bad actors out there who can wreak havoc armed with nothing but a laptop.

Cybercrime increased almost 300% following the COVID-19 outbreak and supply chain attacks increased by 78% in 2019 alone.

The truth is that our world is more digital and interconnected than ever before, but that presents a larger attack surface for cyber attackers who are looking to make a quick buck by holding valuable private data hostage or crippling essential infrastructure systems.

In order to be able to defend against hackers, security experts have to understand how hackers operate and how attacks are executed. Enter penetration testing, or pentesting for short.

Pentesters are considered white hat hackers, individuals who are sanctioned to perform pentation tests (hacks) with the purpose of helping understand vulnerabilities in order to help defend systems better from malicious hackers (black hats). Grey hat hackers, as you could have guessed, operate in murky waters. They may go after scammers and other unscrupulous individuals, by less than legal or ethical means. Grey hats could face legal jeopardy if caught, even if their intent was to expose or bring down a malicious actor.

This section will cover the ethics and legality of hacking, as well as important documents, guides, and agreements necessary to establish between a client and pentester before any penetration testing can begin. Types of penetration testing will also be covered, as well as methodologies for penetration testing.


ethics vs. legality

What's wrong is not always illegal, and what's illegal is not always wrong.

Ethics are concerned with the idea of what's right and wrong. These are concepts that can vary wildly from individual to individual and from time to time, so it's not very productive to try and understand or create a definitive ethical framework for hacking. That said, there are certain ethics that white, grey, and yes, even some black hat hackers will adhere to.

White hat hackers will generally operate under the strictest set of legal and ethical parameters given the transparent and legitimate nature of their work. White hat hackers are often employed as professional pentesters and have to worry about maintaining both their individual and company's reputation squeaky clean. Here is a code of ethics from the EC-Council, a leader in infosec (information security) training programs.

Grey hats will often be motivated by a strong sense of ethics even when they bend or break the law. This is because they are oftentimes operating with what they see as a noble mission in mind. Plenty of grey hat hackers poke holes in systems in order to disclose vulnerabilities or bugs in a system or piece of software to those responsible for maintaining them. These individuals are often thanked and sometimes even rewarded for their efforts, but other times their snooping around isn't appreciated, and can face retaliation, lawsuits, and even arrest. This is why ethics are central to grey hacking since the hacker is betting that the destination and result of their actions will outweigh any questionable lines they had to cross to get there. Check out this article for a run-down of the ethics of grey hacking which includes real cases. You may also be interested in the "Grey Hat" Guide by the Electronics Frontier Foundation. There's also an excellent episode of Darknet Diaries about the "Guild of Grumpy Old Hackers" a collective of Dutch grey hat hackers who actually hacked then-president Trump's Twitter account and got into hot water over it.


Rules of engagement

Before a proper and legal penetration test can be carried out, there must be clearly agreed-upon parameters between the pentester and the client, including the rules of engagement.

The rules of engagement govern the permissions, test scope, and rules which will define the penetration test to be carried out.

The SANS institute has a good example of this document.

PERMISSIONS

The permissions given in the rules of engagement will protect individuals conducting the penetrations test by getting a clear agreement that the client is giving the pen tester permission to take actions that may otherwise be illegal, for the purpose of testing the system's security in a controlled test.

TEST SCOPE

This section will define the scope of the engagement. The test scope should clearly define the boundaries of the "attack," including what areas will be within the limits and off-limits. The scope will vary from job to job and it's important to be on the same page as a client and communicate details clearly. You should understand what the client's needs are and help them define the objectives of their audit. If the scope is not wide enough, then the pen tester cannot perform a thorough audit of systems. But it can also be the case that the scope is too wide, which could go beyond the needs of a penetrations test and could expose sensitive data or systems that the client did not want to be accessed.

RULES

This section will govern the specifics of the test, such as what techniques will be allowed, who will be aware of the test, and how will the pen tester demonstrate a successful hack. For example, the rules of a job may state that the hacker will not use anything except publicly available information and that they will be prohibited from interacting with any employees.

types of pentration tests

Black box testing means that pen testers are not given any special access or information that will aid them in their engagement. They will have to try to crack into the target system with the same publicly available resources that would be accessible to anybody else. Black box tests can be very general and tend to focus on the external-facing flaws of the system in question.

Grey box testing means that some special information or resources are shared with the tester, such as directories or internal IP addresses. This can help to limit the attack surface and help the pen tester focus more rigorous testing on certain internal systems. Since grey box contains elements from both black and white box testing, anything that is not a purely white or black box test is considered a grey box test.

White box testing is usually done by software developers or internal employees who have full knowledge and access to the systems in question and are focused on low-level issues, bugs, or inefficiencies in the system's organization or security. This type of testing can often be focused on granular aspects of a system that someone outside the company may never get to encounter.

methodologies

FRAMEWORKS FOR PENETRATION TESTING


Not all penetration tests are created equal. There are as many types of pen tests as there are needs for them. Because of this, there have been a number of different methodologies and standards developed by different infosec organizations. This is not a comprehensive list, but an overview of some of the main methodologies in use in the field.

OWASP

The OWASP (Open Web Application Security Project) "is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. "

This foundation writes top-ten reports on top vulnerabilities that can be found in numerous web applications, as well as testing approaches, and remediation methods and is a standard framework for web security.

OSSTMM

The Open Source Security Testing Methodology Manual defines a framework of strategies for testing systems, applications, and software as well as the human (social engineering) aspects of infosec.

This methodology focuses on three main components.

  1. Telecommunications (VoIP, phones, etc.)

  2. Wired Networks

  3. Wireless Communications

NIST

The National Institute of Standards and Technology's cybersecurity framework is a staple of infosec. This framework primarily defines standards for cybersecurity that organizations can take to protect themselves from threats, but it also has a detailed technical guide that serves as a standard methodology for pen testing.


NCSC CAF

The UK's National Cyber Security Centre's Cyber Assessment Framework (CAF) "provides guidance for organizations responsible for vitally important services and activities." This framework focuses on organizations deemed to provide "vitally important services and activities" such as economic and critical infrastructure services.

The framework is divided into the following main objectives:

Objective A: Managing security risk

Objective B: Protecting against cyber attack

Objective C: Detecting cyber security events

Objective D: Minimising the impact of cyber security incidents


An effective pen tester should make good use of the established ethical and practical frameworks and methodologies available to them.

They should also expand on this knowledge to better equip current and future infosec professionals who will continue the fight against a neverending onslaught of attackers, exploits, and bugs.