PENETRATION TESTING

METHODOLOGY
[Company Name]

Document Owner:
Effective Date:
Updated:

Disclaimer: This sample policy has been provided by Apptega, Inc. as a generic document to support the
development of your compliance program. It is unlikely to be complete for your organization without
customization. This is document is not legal advice and Apptega is not a registered CPA firm.
Penetration Testing Methodology
Version 1.0
[Updated Date]

[Company Name]
Penetration Testing Methodology
Effective Date: Document Owner:
Revision History
Revision Rev. Date Description Prepared By Reviewed By Date Approved By Date
1.0

1. Purpose................................................................................................................................................2
2. Penetration Testing Methodology.......................................................................................................2
2.1 Planning and Preparation................................................................................................................2
2.2 Information Gathering and Analysis................................................................................................3
2.3 Detection of Vulnerabilities.............................................................................................................3
2.4 Penetration Attempt and Exploitation.............................................................................................4
2.5 Analysis and Reporting....................................................................................................................4
3. Penetration Testing Clean Up..............................................................................................................4
4. Roles and Responsibilities....................................................................................................................4
5. Definitions and Terms..........................................................................................................................5

CONFIDENTIAL
Penetration Testing Methodology
Version 1.0
[Updated Date]

1. Purpose
1.1 <Company> depends on the security of its Information Technology (IT) infrastructure.
Without security, the privacy of information and the integrity of the IT infrastructure
may be subject to compromise and place the business at risk, such as financial
damages or loss of reputation. This infrastructure is therefore a critical business element,
which must be protected with effective and efficient security tools and methods based
on industry standards. As a result, penetration tests should be performed to
d e t e r m i n e a n d analyze the security threats and vulnerabilities to its information
assets and to explore options that will mitigate associated information risks.
1.2 A Penetration test is an authorized attempt to compromise <Company> IT infrastructure to
check for vulnerabilities or gaps in security and functionality of systems. Usually penetration
testing involves the use of attacking methods conducted by trusted individuals that are
similar to the tools hackers and intruders use. Depending on the type of test that is
conducted, this may involve a simple IP address scan to identify systems offering services
with known vulnerabilities (passive testing) or exploiting known vulnerabilities that exist in
an unpatched operating system (active testing). Results of the conducted tests are
documented and presented to the system owner and the vulnerabilities identified can then
be fixed. Pen testing must be conducted regularly as system threats and vulnerabilities
change over time. Information provided by the penetration test should be used to enhance
the company’s security policies and patch any found vulnerabilities. Additionally, results
from tests help management prioritize remediation based on which vulnerabilities are
actually exploitable and to what degree providing a more accurate representation of the
likelihood and impact of the risk.

2. Penetration Testing Methodology

Penetration testing consists of the following five stages. These stages must be seen through to
completion to ensure all vulnerabilities to the company IT infrastructure are identified and
corrected.

2.1 Planning and Preparation

Penetration Testing on a company requires a lot of preparation to ensure testing is successful.
To begin preparation for a penetration test a kickoff meeting should be scheduled between the
company and the pen tester. If done by the company, IT department schedule a meeting with
management and IT administrators. During the meeting, discuss the scope and objectives of the
penetration test to be completed. The scope of a project specifically defines what is to be tested
and how. Will web applications be analyzed, social engineering activities performed, or physical
controls tested? Will active testing where vulnerabilities are exploited be used or passive
testing where potential vulnerabilities are just identified? When establishing the scope of
testing identify the systems and network operational requirements and the staff involved. It is
important to also discuss the expectations of results and how the company would like them
presented.

CONFIDENTIAL
Penetration Testing Methodology
Version 1.0
[Updated Date]

Throughout the planning phase discuss the timing and duration the penetration tests are
performed. This is important in making sure normal business operations are not disrupted
throughout testing. The company must understand what systems or networks are being tested,
the capacity and capability of the system, and the users effected. The penetration testers should
have a great understanding of the company’s expectation, needs and infrastructure before
creating a testing plan. Testing plans should be discussed and approved by company
management before conducting testing procedures. An organization should decide if they want
to inform their employees of the testing or not. Upon making this decision instructions should
be communicated and clearly defined to employees if deemed necessary.

Penetration testing involves conducting authorized illegal activities on external and internal
company systems or networks. Understand that any information or data obtained during testing
will be treated as confidential and will be returned or destroyed upon completion and according
to plan. Legal and regulatory documents understanding the risks and procedures must be signed
by company executives before penetration testing begins. An emergency contact should be
assigned and available at all times during the pen test and status meetings should be scheduled
if necessary.

2.2 Information Gathering and Analysis

Following completion of planning and preparation with the organization, the next stage is to
gather as much information as possible regarding the systems or networks being tested. The
place to start gathering information will depend on the type of test being performed. A white
box test may start with a ping sweep or network map of the in-scope network where a black box
test may start with the company website or known application URLs. Information gathering
during this step will be valuable to the success of the penetration test by identifying hosts, open
ports, and running services to attempt to exploit.

2.3 Detection of Vulnerabilities

The next step when performing a penetration test is to determine what vulnerabilities exist in
each system. Vulnerability scanners will be run to attempt to identify any weaknesses on the
hosts and services identified during information gathering. These results of these scans should
be compared with Internet vulnerability databases to ascertain what current exploits may be
applicable to the target systems. The pen tester will then correlate the results from the scanner
and the vulnerability databases to create a Vulnerability Probability matrix. This will provide the
focus for attacks as well as a verified source to communicate attacks to the system owner before
moving on to then Exploitation phase. In some cases, system owners may want to stop at this
phase and patch their systems, so they are not harmed during the Exploitation phase. For
vulnerabilities that may be mitigated by a compensating control not visible to the scanner,
exploitation should be performed.

CONFIDENTIAL
Penetration Testing Methodology
Version 1.0
[Updated Date]

2.4 Penetration Attempt and Exploitation

Following detecting the vulnerabilities the next step is to perform a penetration attempt. It is
not always possible to successfully penetrate a target even though it is vulnerable. If a
vulnerability is exploited, the pen tester will attempt to gain root or administrator-level access
to the target systems. If successful, the pen tester will determine if attacks against other systems
on internal network from the host that was compromised are possible. All relevant information
should be documented including access to the command line of a targeted system, via the
access points identified in the vulnerability analysis, including the host and directory or share
name to which access was gained; the host from which access was gained; date, time and the
level of access; and finally, the security hole(s) that were exploited to gain access.

2.5 Analysis and Reporting

After completion of all above tasks documentation and a report must be created for the
organization. The report should provide an overview of the penetration testing process
completed. Following the overview, an analysis of critical vulnerabilities that exist in the system
or network should be reported. Crucial vulnerabilities are addressed first followed by less
impactful vulnerabilities. Breaking vulnerabilities up in reporting helps the organization with
remediation decision making. Some organizations, depending on budget, will choose to only fix
the crucial vulnerabilities identified. The following information should also be included when
reporting a penetration test:

- Summary of successful penetration testing

- Listing of all information gathered during penetration testing
- Listing of all vulnerabilities found
- Description of all vulnerabilities found
- Suggestions and techniques to resolve vulnerabilities found

3. Penetration Testing Clean Up

Following the completion and reporting of the Penetration testing performed the company must
create a plan for cleanup. Cleanup is done to remove any security software, accounts or other
artifacts that were created during testing. The list of documented actions performed in 2.4 will
allow personnel to recreate the test in order to securely cleanup testing without impacting
company operations. Company management should verify and monitor the cleanup process to
ensure it is done successfully.

4. Roles and Responsibilities

Role
Company Management
Penetration Tester
Responsibility
- Involved throughout the process
- Provides requested information
- Planning of penetration testing
- Works with company throughout the process

CONFIDENTIAL
Penetration Testing Methodology
Version 1.0
[Updated Date]

- Analyzes company information before performing

testing
- Reports vulnerabilities to company management
- Provides company with techniques and
recommendations to solve identified problems
System Owners - Has a great understanding of the systems and
networks being tested
- Provides requested information

5. Definitions and Terms

The following definitions are not all-inclusive and should be updated as new information
is made available:

Term Definition

CONFIDENTIAL