Empirical Analysis of Security attacks to create of framework for penetration testing

by

Empirical Analysis of Security attacks to create of framework for penetration testing

Implementation of the new methodology requires accurate and extensive evaluation of the existing applications. This indicates that the new methodology should focus on meeting the shortcomings of the existing applications with the aim of enhancing effectiveness and efficiency in the concept of penetration testing. In this research, the focus will be on the critical evaluation of the three existing methodologies. This is through examination of the strengths and weaknesses with the aim of boosting efficiency of the new approach in the penetration testing. The other focus of the research paper will be on the addressing of the demerits of the existing methodologies by the new approach. The research exercise will also illustrate how the test is possible. This is through indication of any problem having undergone execution in relation to the new approach.

The Open Source Security Testing Methodology Manual (OSSTMM)

Pete Herzog and Institute for Security and Open Methodologies (ISECOM) wrote and distributed this methodology respectively (ISECOM 2012, p. 1). It focuses on the provision of the guidelines in relation to the management or governance of the security testing. The aim of the methodology is the confirmation for the thorough conduction of the security tests and adherence to the necessary channels. In the achievement of consistency, the methodology focuses on the provision of repeatable results. This indicates that the methodology has the opportunity to offer factual, practical, and consistent operational security requirements. In the execution of its functions, this methodology faces several challenges and obstacles. One of the essential limitations is inability of the methodology to provide accurate and elaborate framework with reference to processes, procedures, and tools in the achievement of the goals and requirements.       This indicates that the methodology on focuses on two concepts: tracking of the testable and type of the target (Ketchen & Bergh 2007, p. 237). It also minimizes the essence of the skills in relation to the security tester. Despite these limitations, the methodology is effective due to integration of the Risk Assessment Value enabling the auditor to identify and extract vulnerabilities in the context of security situation. The methodology suffers from relevant errors such as falsification, human errors, sampling errors, and propagation. It is ideal to focus on the modification of this methodology with the aim of enhancing rule or guidelines of engagement and minimization of the errors.

The National Institute of Standards and Technology (NIST)

Despite the fact that NIST is less inclusive in comparison to OSSTMM, it is one of the essential methodologies preferred by regulatory agencies. It focuses on the integration of the techniques, templates, and tools valuable in the assessment of numerous networks and systems. This is possible through incorporation of the four phases: planning, discovery, attack, and reporting. These phases focus on the identification of goals and regulation, comparison of the vulnerability analysis services/operating systems, exploitation of identified vulnerabilities, and provision of mitigations for vulnerabilities (Scarfone 2009, p. 52).

NIST integrates security tools such as Metasploit and vulnerability scanners like OpenVAS. This methodology also incorporates the testing skills and guidelines in the execution of the testing process. Some of the weaknesses of this methodology include extensive investments in relation to time, effort, software, hardware, and human resources. In the process, there is reduction in the practicality in scenario requiring the involvement of the frequent security assessment (Wilhelm 2009, p. 166). This is because only organization with adequate resources have access to its effectiveness thus reduction in the versatility in relation to various software applications. It is, therefore, essential to address the issues in relation to excessive time, massive investment in software, hardware, human capital, and effort, which are the shortcomings of the NIST methodology in the provision of accurate analysis of vulnerability.

The Information Systems Security Assessment Framework (ISSAF)

This system is vital in the evaluation of the information system with the aim of identifying various vulnerabilities. This is through examination of two testing aspects: technical and management aspects of security. Management concept of this methodology focuses on the incorporation of various practices and support guiding the assessment of the information system. Technical component focuses on the establishment of effective security assessment for the systems (Singh 2012, p. 18). It reflects components of a process or procedure rather than an audit like in the case of OSSTMM. This methodology is considered immature and outdated in comparison to OSSTMM thus incapable of meeting the needs of the modern applications. This is because of the lack of relevant features and procedures to perform at the level of OSSTMM in the evaluation of vulnerability in relevant systems (Singh 2012, p. 19). Despite this notion, this methodology focuses on the execution of the assessment process in a rationale order.

The role of each domain is to evaluate the components of the target system with the aim of identifying vulnerabilities or loopholes. These areas of focus include risk evaluation, control assessment, and generation of the security policies. One of the weaknesses of this system is the extensive effort in the execution and realization of the goals of the process. This indicates that the methodology requires extensive effort, time, and resources to supplement human expertise in the evaluation of vulnerability of the communication systems. This makes it less effective in limited time and budget components (Zubairi, J.D and Mahboob 2011, p. 85). Another relevant limitation is the concept of maintenance. This is because of the essence of frequent updates for the effectiveness and efficiency of the system in assessing the target systems.

Proposed Methodology (Metasploit 3.0)

The proposed methodology should focus on the minimization or elimination of the challenges facing the three existing methodologies in relation to the evaluation of the vulnerabilities of the available systems. This is through focusing on the appropriateness, guidelines, robustness, and versatility in the evaluation or assessment of the vulnerability of the various systems in the context of organizations and residential locations. These factors of consideration relate to the aspects of expertise and skills in the process of achieving favorable results. The proposed methodology should also illustrate aspects of flexibility to operate effectively and efficiently in the context of any constraint. Improved version of Metasploit (Metasploit 3.0) has adequate features and components to meet the needs and requirements following the failure of the three existing methodologies (Maynor et al, 2007 p. 3).

This is because it incorporates effective features from the existing methodologies in the form of ISSAF, OSSTMM, and NIST frameworks. The proposed methodology has the ability to offer guidelines for the execution of the assessment process thus enhancing the capacity of the tester to obtain the desired goals and objectives. Its efficiency integrates concepts such as payload encoders, exploits, reconnaissance tools, and other components for the initiation and facilitation of the assessment process. The proposed methodology focuses on the minimization of the need for extensive efforts and resources in the assessment process. This is through integration of guidelines and phases in the performance of the test or evaluation in identification of vulnerabilities (Maynor et al, 2007 p. 5). This enables it to incorporate participation of the experienced and unskilled testers in the achievement of the desired goals. In the process of testing for the vulnerabilities, the proposed methodology incorporates components such as planning, discovery/identification, disclosure, analysis, and exploits generation for the maximization of the assessment process (Faircloth & Hurley 2007, p. 540). These processes will enable the methodology to achieve the goals and objectives in relation to generation of management and technical aspects of the testing or assessment process.

 

 

 

 

 

 

 

 

 

 

 

References

ISECOM, 2012’ Open Source Security Testing Methodology Manual (OSSTMM). [online] Available at: http://www.isecom.org/research/osstmm.html [Accessed: 16/12/2012].

Zubairi, J.D and Mahboob, A. 2011. Cyber Security Standards, Practices and Industrial Applications: Systems and Methodologies. Idea Group Inc.

Wilhelm, T. 2009. Professional Penetration Testing: Creating and Operating a Formal      Hacking Lab. Syngress.

Maynor, D., Mookhey, K, Cervini, J., Roslan, F and Beaver, K. 2007. Metaspoilt toolkit for    penetration testing, exploit development , and vulnerability research. Elsevier, Inc.

Scarfone, K. 2009. Technical Guide to Information Security Testing and Assessment:         Recommendations of the National Institute of Standards and Technology. DIANE        Publishing.

Singh, A. 2012 Metasploit Penetration Testing cookbook. Birmingham: Packt,

Ketchen, D and Bergh, D. 2007. Research Methodology in Strategy and Management, Volume       4. Syngress.

Faircloth, J and Hurley, C. 2007. Penetration Tester’s Open Source Toolkit. Syngress.

 

 

 

 

Latest Assignments


All Rights Reserved.
Disclaimer: for assistance purposes only. These custom papers should be used with proper reference.
Terms and Conditions | Privacy Policy