Advanced Science and Technology Letters

Vol.87 (Art, Culture, Game, Graphics, Broadcasting and Digital Contents 2015), pp.34-37
http://dx.doi.org/10.14257/astl.2015.87.08

Comparative Study of Penetration Test Methods

Yong-Suk Kang1, Hee-Hoon Cho2, Yongtae Shin3 and Jong-Bae Kim4*

1
Department of IT Policy and Management, Graduate School of Soongsil University,
Seoul 156-743, Korea
3
Department of Computer Science, Soongsil University, Seoul 156-743, Korea
2, 4*
Graduate School of Software, Soongsil University, Seoul 156-743, Korea
1
postwin@gmail.com,2heehoonc@naver.com,3shin@ssu.ac.kr,4*kjb123@ssu.ac.kr

Abstract. In todays world, security threats and risks are evolving rapidly. To
respond to these threats, enterprises and institutes perform Penetration Tests
(PenTest) of security companies as a way of enhancing their security. After the
testing, a security weakness analysis is conducted to strengthen system security.
In other countries, a reliable and well-designed penetration test methodology is
applied in order to reliably perform these test and assessments. However, Korea
still lacks research on guidelines and assessment methods of penetration test
methodologies. Therefore, this paper tries to suggest the criteria that are needed
to choose an appropriate methodology through comparative research.

1 Introduction

With the development of IT devices and networks, the operation of information

systems brings more significant risks. With the rise in risks, more direct and indirect
security accidents have occurred. Looking at recent IT security incidents, it is clear
that the trend of security weaknesses and threats to conventional and new business
models has been changing rapidly, and that attack techniques are becoming more
diverse and sophisticated. To respond to these, enterprises and institutes regularly and
constantly perform penetration tests. A Penetration Test (PenTest) is an attempt to
find the security weaknesses of a computer system and intentionally attack the system
with legal approval, in order to manage the computer system more safely.

2 Related Works

In the 1960s, penetration testing was first attempted by a security expert. In the 1990s,
Tiger Team was established, and expert groups executed penetration tests. From the
1980s to 1990s, the focus had been placed on security systems. Special books on
security, such as Improving the Security of Your Site by Breaking Into it and
Hacking Exposed were published [2]. The main purpose of penetration testing is to
prove various potential security risks from an attacker's position and an insider's
position. Penetration testing can be categorized into such areas as Network, System,

ISSN: 2287-1233 ASTL

Copyright 2015 SERSC
 Advanced Science and Technology Letters
Vol.87 (Art, Culture, Game, Graphics, Broadcasting and Digital Contents 2015)

Security, Application, and others. The penetration testing process consists of nine
steps [3], and can be categorized into six types [4].

3 Types of penetration testing

3.1 OSSTMM (Open Source Security Testing Methodology Manual)

OSSTMM includes penetration testing methodologies and improvements in corporate

security strategies and quality, and can be applied to almost all inspection types,
including penetration testing, ethical hacking, security assessment, and vulnerability
inspection [5]. The OSSTMM consists of test modules for each area. Each module is
designed in the work unit. Penetration testing methods are as follows:
(1) Information Security Testing
Information security testing includes various tests of issues related to information.
(2) Process Security Testing
Process security testing includes state review, a test of requirements, a test return
requirements, a test of guide proposal, and a test of reliable persons.
(3) Internet Technology Security Testing
Internet technology security testing consists of tests of reliable systems, including
intrusion detection review, system service identification.
(4) Communications Security Testing
Communications security testing includes voice test, model inspection, remote
access control test, IP test, and tests of other communications security issues.
(5) Wireless Security Testing
Wireless security testing consists of tests of securities issues in wireless
environments.
(6) Physical Security Testing
Physical security testing consists of tests of security issues.

3.2 OWASP (Open Web Application Security Project)

In 2008, OWASP Testing Guide V3 was released. Testing Guide is used to look into
appropriate technologies and works, which can be performed in various phases of the
Software Development Life Cycle (SDLC), in the framework unit, and provides a
concrete guideline which needs to be followed according to process [6]. OWASP
Framework Flow is made up of five phases and includes the SDLC test framework.
(1) Information Gathering
Essential to penetration testing, this phase has the methods of gathering as much
information on a target application as possible, and includes various kinds of analysis.
(2) Configuration Management Testing
Configuration information is collected from the large amount of information
gathered in the information gathering step.
(3) Authentication Testing
Authentication testing is attempted in the log-in process.

Copyright 2015 SERSC 35

Advanced Science and Technology Letters
Vol.87 (Art, Culture, Game, Graphics, Broadcasting and Digital Contents)

(4) Session Management Testing

Critical information to control interaction between a web application and a user,
such as a session ID or a cookie type, is tested.
(5) Authorization Testing
Acquiring and escalating access rights to resources are tested.

3.3 ISSAF (Information Systems Security Assessment Framework)

ISSFS is designed in a structured framework type to assess various information

systems. It suggests the assessment and testing standards for each domain and has a
security assessment that reflects actual scenarios. The penetration testing procedures
are as follows:
(1) Information Gathering
Perform to gather information on the internet in order to understand a system and
identify the system's weaknesses.
(2) Network Mapping
The information gathered in the information gathering procedure is related to
access to network and resources.
(3) Vulnerability Identification
Specific weaknesses are found and tested.
(4) Penetration
An unauthorized access is attempted with the bypass function using security
weaknesses.
(5) Gaining Access and Privilege Escalation
Any possible points of penetration in a given circumstance are checked, and access
is gained or privilege is escalated.
(6) Enumerating Further
The traffic wiretapped by sniffing or other kinds of techniques are analyzed, and an
attack on a password is made using cookie or session information.
(7) Compromise Remote Users/Sites
Homeworkers of a company or remote site users gain access rights, and then a trial
of obtaining the access rights is made.
(8) Maintaining Access
A Pen Tester is secretly hidden in a system or a network through a secret channel in
order to obtain access rights. Backdoor or Rootkit can be used.
(9) Cover the Tracks
In this procedure, the penetration tracks are deleted. Files are hidden, or log
information is deleted.

3.4 RSA

Based on the penetration testing assessment, RSA classifies security into five levels:
Critical, High, Medium, Low, and Informational. Since the security levels are
determined with the calculated points of methodology, realism, and reporting &
output, it suggests a maturity model. It is possible to find a simple penetration testing

36 Copyright 2015 SERSC

 Advanced Science and Technology Letters
Vol.87 (Art, Culture, Game, Graphics, Broadcasting and Digital Contents 2015)

maturity model [2]. In the methodology category of the maturity model, it is possible
to assess the use, approach possibility, and potential vulnerability of a methodology;
and in the reporting & output category, it is possible to judge how valuable
penetration testing is and how much those concerned use the testing.

4 Conclusion

Table 1. Comparison Analysis

Penetration Testing Testing Steps of

Features
Methodologies Methodology
OSSTMM 6 phases Applicable to most inspection types
Suggesting a model and guidelines which can be
OWASP 9 phases
performed in various phases of SDLC
ISSFS 9 phases Making a security assessment of actual scenarios
Possible to derive various results of penetration
RSA 5 phases
through a maturity model

Each penetration testing methodology is presented in the above table. OSSTMM is

applicable to a wide range of inspections. OWASP has established the test framework
for web applications. ISSFS is designed in a structured framework type to assess
various information systems, suggests the assessment and testing standards of each
domain, and performs security assessment that reflects actual scenarios. RSA
determines security levels on the basis of the points calculated, suggests a maturity
model with them, and thus helps to realize the influence of outputs. All factors
considered, it is important to apply a penetration testing methodology that is suitable
for each enterprise and institute in order to achieve the maximum efficiency.

References

1. Penetration test, wikipedia.org/wiki/

2. Shackleford, D.: A Penetration Testing Maturity and Scoring Model,
SACONFERENCE(2014)
3. http://www.metasploit.com
4. Herzog, P.: OSSTMM 3 LITE., ISECOM(2008)
5. Pate Herzog.: OSSTMM 2.1 Open-Source Security Testing Methodology Manual, ISECOM,
(2003)
6. Meucci, M.:OWASP Testing Guide V3.0, OWASP(2008)
7. Park, H. G.:OWASP Top 10 2010, SecurityPlus(2010)

Copyright 2015 SERSC 37