Week 12 – Assessing vulnerabilities in varied information systems.

1. Elaborate the necessity of the Penetration Testing Execution Standard (PTES).

The Penetration Testing Execution Standard (PTES) is a set of standards that give a
framework for conducting systematic and complete penetration testing. PTES was created
to address the need for a standardized approach to penetration testing, as many
businesses' testing procedures lacked consistency and coherence.

The necessity of PTES is listed below:

 Standardization:
PTES offers a systematic approach to penetration testing. This assists in ensuring
that all components of the testing process are covered consistently and that the
results are trustworthy and reproducible. Standardization is particularly crucial when
conducting testing on a big scale or when several testers are engaged.
 Comprehensive Coverage
PTES includes all phases of penetration testing, including scoping, reconnaissance,
enumeration, vulnerability analysis, exploitation, post-exploitation, reporting, and
cleanup. This guarantees that all potential vulnerabilities are discovered and
handled.
 Risk management
The necessity of risk management in the penetration testing process is emphasized
by PTES. This includes assessing the effect of detected vulnerabilities and ranking
them in order of potential impact. Organizations can prioritize their resources and
take fast action to mitigate any potential dangers by focusing on high-risk
vulnerabilities first.
 Collaboration
Throughout the testing process, PTES supports communication between testers and
clients. This helps to ensure that the testing objectives are clearly stated and that the
results are successfully communicated. Cooperation also contributes to the
development of trust between testers and clients, which is vital for long-term
collaborations.
 Continuous improvement
 PTES fosters continual testing process improvement by highlighting the relevance of
feedback and evaluation. This allows firms to learn from their mistakes and improve
their testing methods over time.

2. Simply list down, the seven phases of the PTES.

The seven phases of the PTES are:
Step 1: Pre-Engagement Interactions
Step 2: Intelligence Gathering
Step 3: Threat Modelling
Step 4: Vulnerability Analysis
Step 5: Exploitation
Step 6: Post-Exploitation
Step 7: Reporting
These phases are intended to give a comprehensive approach to penetration testing by
covering all components of the testing process in a systematic and organised manner.

3. Elaborate the seven phases of the PTES in as much detail as you can.
The seven phases of the PTES is elaborated below in detailed:
 Pre-engagement Interactions: This phase entails defining the scope of the
penetration test, establishing the rules of engagement, and acquiring the
appropriate approvals and authorizations. It also includes developing
communication routes between the testers and the client.
 Intelligence Gathering: The testers gather knowledge about the target
organization and its systems during this phase. Identifying the target's IP
addresses, domain names, network topology, and other important information
that can aid in the penetration testing process is part of this.
 Threat Modelling: During this phase, possible threats and attack vectors that
could be utilized to breach the target systems are identified. It entails gaining an
awareness of the target's security posture and finding potential vulnerabilities.
 Vulnerability Analysis: This phase entails undertaking a detailed examination of
the vulnerabilities revealed during the intelligence collection and threat modeling
phases. It entails confirming the existence of the vulnerabilities as well as
determining their severity and effect.
 Exploitation: The testers attempt to exploit the vulnerabilities discovered during
the vulnerability analysis phase during this phase. This include attempting to get
access to the target systems, escalate privileges, and gain access to sensitive
data.
 Post-Exploitation: Once the testers have successfully infiltrated the target
systems, this phase entails actions such as maintaining access, gathering further
information, and exploring the network. This includes attempts to pivot to other
systems, the installation of backdoors, and the concealment of tracks.
 Reporting: This final phase entails recording and presenting the findings of the
penetration testing procedure to the client. The report contains an executive
summary, comprehensive findings, remediation recommendations, and any other
relevant information that can help improve the organization's security posture.
Bibliography
PTES, 2014. Penetration Testing Execution Standard. [Online]
Available at: http://www.pentest-standard.org/index.php
[Accessed 2 3 2023].