Recall that a penetration test is an authorized audit of a computer system’s security and defenses as agreed by the owners of the systems.

Document containing these 3 sections responsible for defining how the penetration testing engagement is carried out.

Permission * This section of the document gives explicit permission for the engagement to be carried out. This permission is essential to legally protect individuals and organisations for the activities they carry out.

Test Scope * This section of the document will annotate specific targets to which the engagement should apply. For example, the penetration test may only apply to certain servers or applications but not the entire network.

Rules * The rules section will define exactly the techniques that are permitted during the engagement. For example, the rules may specifically state that techniques such as phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are okay.

Information Gathering * This stage involves collecting as much publically accessible information about a target/organisation as possible, for example, OSINT and research. * Note: This does not involve scanning any systems.

Enumeration/Scanning * This stage involves discovering applications and services running on the systems. For example, finding a web server that may be potentially vulnerable.

Exploitation * This stage involves leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic.

Privilege Escalation * Once you have successfully exploited a system or application (known as a foothold), this stage is the attempt to expand your access to a system. You can escalate horizontally and vertically, where horizontally is accessing another account of the same permission group (i.e. another user), whereas vertically is that of another permission group (i.e. an administrator).

Post-exploitation * This stage involves a few sub-stages: 1. What other hosts can be targeted (pivoting) 2. What additional information can we gather from the host now that we are a privileged user 3. Covering your tracks 4. Reporting

The Open Source Security Testing Methodology Manual - OSSTMM provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity. - The methodology focuses primarily on how these systems, applications communicate, so it includes a methodology for: 1. Telecommunications (phones, VoIP, etc.) 2. Wired Networks 3. Wireless communications

Open Web Application Security Project * The OWASP framework is a community-driven and frequently updated framework used solely to test the security of web applications and services. * The foundation regularly writes reports stating the top ten security vulnerabilities a web application may have.

NIST Cybersecurity Framework * The NIST Framework is a popular framework used to improve an organizations cybersecurity standards and manage the risk of cyber threats. This framework is a bit of an honorable mention because of its popularity and detail. * The NIST Framework is estimated to be used by 50% of American organizations by 2020.

Cyber Assessment Framework * (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organization’s defense against these. * The framework applies to organizations considered to perform “vitally important services and activities” such as critical infrastructure, banking, and the likes. The framework mainly focuses on and assesses the following topics: * Data security * System security * Identity and access control * Resiliency * Monitoring * Response and recovery planning

Black-Box Testing * This testing process is a high-level process where the tester is not given any information about the inner workings of the application or service. * This testing can involve interacting with the interface, i.e. buttons, and testing to see whether the intended result is returned.

Grey-Box Testing * Most popular for penetration testing. Combination of both black-box and white-box testing processes. The tester will have some knowledge of the internal components of the application or piece of software. * With Grey-Box testing, the limited knowledge given saves time, and is often chosen for extremely well-hardened attack surfaces.

White-Box Testing * This testing process is a low-level process usually done by a software developer who knows programming and application logic. * The full knowledge in a White-Box testing scenario provides a testing approach that guarantees the entire attack surface can be validated.

Confidentiality, Integrity and Availability (CIA), this model has quickly become an industry standard today.

[image:ED287CA9-A14F-4731-B932-1EA34E05F72B-5765-0000291620BE7E24/cia_triad.png]

The CIA triad is unlike a traditional model where you have individual sections; instead, it is a continuous cycle. Whilst the three elements to the CIA triad can arguably overlap, if even just one element is not met, then the other two are rendered useless

The Bell-La Padula Model * is used to achieve confidentiality. This model has a few assumptions, such as an organization’s hierarchical structure it is used in, where everyone’s responsibilities/roles are well-defined. [image:DA033980-FF06-4B5B-98B7-A858F0F52681-5765-00002A8A93D7EF0E/0e6e5d9d80785fc287b4a67e1453b295.png]

The Biba model is arguably the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.