Goal Oriented Pentesting – The New Process for Penetration Testing

Many people including network administrators and even security professional are confused by the penetration testing process. The penetration testing process is the process of identify and demonstrating risks to an organization. The key here is identifying and demonstrating risks. Demonstrating risks can be done in several different ways. One common method that administrators use to protect their network is to use vulnerability scanning solutions to automatically find vulnerabilities. The vulnerabilities are similar to risks; however automated solutions have no ability to put information in context. The process of manually testing and leverage vulnerabilities is what the penetration testing process is all about.

Okay great, you have 10 or 100 or 1000 vulnerabilities, now what? 1000 vulnerabilities don’t necessary mean a greater risk than 10 vulnerabilities because not all vulnerabilities pose the same risks. Many vulnerability scanning solutions contain risk rating in the vulnerability scanning reports. These risk rating are not the same as business risks because they do not directly demonstrate risks to the business. Vulnerabilities are potential risks that would need to be leveraged by an attacker to demonstrate business risk. That is where penetration testing comes in. Penetration testing is designed to demonstrate the business risks by leveraging vulnerabilities to achieve a level of access or gain access to data.

So what drives the penetration tester? How do they know what they want or what level of access is going to demonstrate the highest risks to the organization?

It comes down to a list of goals. Wikipedia defines a goal:

goal or objective is a projected state of affairs that a person or a system plans or intends to achieve – a personal or organizational desired end-point in some sort of assumed development. Many people endeavor to reach goals within a finite time by setting deadlines.

This is process is known as a goal-oriented penetration assessment. The goals are defined before the assessment begins and the penetration tester works to achieve the goals. Once a goal is achieved, the penetration testers should determine how many unique ways the goal can be achieved.

A few example goals for a penetration assessment:

  • Gain access to the internal network (remotely)
  • Gain access to credit-card information
  • Gain Domain Administrator access

Penetration testing is all about achieving goals and not about finding vulnerabilities. Enough said. Vulnerabilities are not the goal. Goals are the goal.

Advertisements

5 Responses to Goal Oriented Pentesting – The New Process for Penetration Testing

  1. roodee says:

    I like this. We use a goal-oriented framework for deriving security requirements (functional and non-functional) for our applications. Our goals are a bit generic, but I think it may be worthwhile to draw up some “anti-goals” that reflect the goals of the penetration tester. Goals are relative to the subject that will try to achieve them and ours are from the perspective of the system’s ability to “resist” attacks. Will definitely explore this. Good stuff.

  2. […] "Jabra" Abraham « Goal Oriented Pentesting – The New Process for Penetration Testing Goal Oriented Pentesting. The New Process for Penetration Testing (Part 2) November 17, […]

  3. […] Admin Tokens December 15, 2009 Penetration Assessments are a focused effort to accomplish one or more goals within a limited timeframe. It is often helpful to automate tasks to put time on your side. This is where a penetration tester […]

  4. […] I presented the Goal Oriented Pentesting theory that I have been talking about for a while(first post, second post) The talk expanded upon the original theories by incorporating specific methods which […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: