Legal And Ethical Considerations Of A Penetration Tester In The UK

Considerations for Penetration Testing in the UK

Penetration testing comes under the regulatory actions which has bene stated by the Government of the UK. In a penetration testing process, the ethical hacker is supposed to perform intrusion techniques within the organizational network (Bhardwaj et al. 2021). In that process, the ethical hacker needs to go through various kinds of legal processes where they would need to take the permission from the organization in order to conduct the penetration testing. The legal and ethical considerations made by the government of the UK states various kinds of ethical policies and regulations which the ethical need to obey which conducting the penetration test on the organizational network of the company (Ghanem and Chen 2020). Below are some of the major considerations which the penetration tester needs to make before proceeding with the penetration test –

• The penetration tester needs to draft a scope of the penetration test. The scope of the penetration test would include all the data and information which are required for conducting the penetration (Zhang et al. 2019). There are primarily three types of penetration test. These penetration tests are conducted, based on the type of target which has been selected. In the event of black box penetration testing, the penetration tester does not have any knowledge about the organizational network which they would be exploiting. They need to formulate a roadmap, through which they would be able to first find the vulnerabilities present in the system and then proceed with exploitation (Vats, Mandot and Gosain 2020). Next, there is the grey box penetration testing. In this kind of grey box penetration testing, the ethical hacker knows about the web application whose vulnerabilities needs to be identified and then exploited (Hatfield 2019). Lastly, in white box penetration testing, the ethical hacker knows about all the information about the web application and then proceeds with the testing.
• The scope of the penetration testing also contains the details of the client. Furthermore, the penetration tester explains the client about the steps they would be conducting on the organization network or web application (Chaudhary, O’Brien and Xu 2020). The technical team of the client needs to stay online throughout the process. If there is any kind of issue occurrence then the penetration testing team will inform the technical team about the issue and it will be resolved as soon as possible, so that, the end users of the web application is not affected.
• The penetration testing team will let the technical team of the client know, when the penetration testing is going to start (Chowdhary et al. 2020). Also, all the progress which the penetration testing team is achieving, will be sent as a notification to the client organization.

The UK Government also has two major laws and rights, which helps them to keep the penetration tester accountable if any kind of data breach happens. The laws are –

1. Data Protection Act 1998.
2. Computer Misuse Act 1990.

The different methodologies helps the penetration tester to proceed with the test. It involves various kinds of phases which acts as a guide for the penetration tester. The list of the penetration testing methodologies is –

1. OSSTMM (Open Source Security Testing Methodology Manual)
2. PTES (Penetration Testing Execution Standard)
3. OWASP (Open Web Application Security Project)
4. ISSAF (Information Systems Security Assessment Framework)

The OSSTMM is a manual, which contains various kinds of security testing methodology. Through the manual, the penetration tester is able to use various kinds of vulnerability analysis techniques in order to find out the vulnerabilities which are present within the organizational network (Hu, Beuran and Tan 2020). With the help of OSSTMM, the asset of the organization can be isolated and the possible threat can also be isolated. After that, the threat is analyzed in order to find out the root cause. However, OSSTMM has a premium version as well, for which the penetration tester needs to purchase the manual. Thus, with the free version of OSSTMM, is limited to the functionality that are required in order to conduct the penetration test on the organization (Goutam and Tiwari 2019). Adding to that, the tool description and software application present in OSSTMM does not have proper conclusion, due to this reason, the penetration tester is unable to choose which tool they should select in order to proceed with the penetration testing process.

Furthermore, the penetration testing which will be conducted, will be on a web application. The services, which are most likely to be exploited are http, vnc and ssh services (Ibrahim and Kant 2018). Also, the OSSTMM provides flexibility to the penetration tester with its guidelines and norms. It helps the penetration tester to get a deep understanding on the various kinds of components which are interconnected with one another (Khera, Kumar and Garg 2019). Also, the penetration testing process through OSSTMM is so much extensive that, the vulnerabilities are unable to hide.

Two Major Laws and Rights Governing Penetration Testing in the UK

This standard contains one of the core penetration methodologies, which has been drafted by leading penetration testers around the world (Lu and Yu 2021). It contains various kinds of vulnerability testing methods, through which the penetration tester would be able to identify the vulnerabilities which are present within the web application. After that, using the Metasploit framework present within the Kali Linux Operating System, the penetration tester would be able to exploit the vulnerabilities that has been identified earlier. The main objective of PTES is to provide standardized methodology approach towards the penetration testing of an organizational network or web application (Zitta et al. 2018). Through the standardized approach, the penetration tester is guided with steps which helps them in identifying the vulnerabilities which are present within the system.

There are total of seven phases which are present within the penetration testing through PTES. First, the penetration tester drafts a plan which contains details of the component on which they will interact (Shah et al. 2019). Depending on the type of system, threat modelling is conducted. This helps the penetration tester to understand the probable threats which might be present. After that, the penetration tester conducts a loophole analysis which helps in identifying the loopholes which are present within the organizational network. After that, exploitation is performed on the vulnerabilities which has been identified. Next, an attack is launched against the system. This helps in extracting the data and information which are present in the database and server of the organization (Lee et al. 2020). Lastly, documentation is conducted, where the vulnerabilities are listed out. It also contains the mitigation techniques, which the organization should perform in order to remove the listed vulnerabilities from the organizational network and the web application.

This technique helps in considering the various software development methodologies in order to conduct a proper analysis. OWASP uses a smaller number of automated tools, as it believes that, tools are not efficient enough to identify the vulnerabilities which are present in an organizational network or web application (Gangupantulu et al. 2021). However, this penetration methodology is majorly used to find the loopholes which are included in a web server. Adding to that, the part of computerized tests in detecting the loopholes in our administrations will be diminished. This process covers nearly all perspectives of a web application, subsequently covering all conceivable assault surfaces. For the penetration testing on a web server giving HTTP, SSH and VNC, this will majorly cover everything related to http (Patel 2019). To begin with, the penetration tester drafts a arrange which contains points of interest of the component on which they will connected.

Comparison of Penetration Testing Methodologies

Depending on the sort of framework, risk demonstrating is conducted. This makes a difference the infiltration analyzer to get it the plausible dangers which can be show. After that, the infiltration analyzer conducts an escape clause examination which makes a difference in recognizing the escape clauses which are display inside the organizational arrange (Ankele et al. 2019). After that, misuse is performed on the vulnerabilities which has been recognized. Following, an assault is propelled against the framework. This makes a difference in extricating the information and data which are show within the database and server of the organization. In conclusion, documentation is conducted, where the vulnerabilities are recorded out. It too contains the relief methods, which the organization ought to perform in arrange to evacuate the recorded vulnerabilities from the organizational organize and the net application (Casola et al. 2020). Few of the important services and assets which OWASP focusses on are, credentials present which helps in authorization of users. It also helps in understanding the key validation concept which is majorly used during the encryption process. Lastly, it helps in identifying the vulnerabilities which are present within the session management of the web application or web server.

This penetration testing technique contains a total of three phases. The name of the phases is, synthesis, analysis and evaluation phase. This procedure covers about all points of view of a web application, hence covering all conceivable attack surfaces (Kissi and Asante 2020). For the entrance testing on a web server giving HTTP, SSH and VNC, this will majorly cover everything related to http. To start with, the entrance analyzer drafts a orchestrate which contains focuses of intrigued of the component on which they will associated. Depending on the sort of system, chance illustrating is conducted. This makes a contrast the invasion analyzer to induce it the conceivable perils which can be appear. After that, the invasion analyzer conducts an elude clause examination which makes a contrast in recognizing the elude clauses which are show interior the organizational orchestrate. After that, abuse is performed on the vulnerabilities which has been recognized. Taking after, an attack is moved against the system (Hance et al. 2022). This makes a contrast in removing the data and information which are appear inside the database and server of the organization. In conclusion, documentation is conducted, where the vulnerabilities are recorded out.

This section discusses about the various kinds of tasks which needs to be performed in order to proceed with the penetration test. It will also discuss the effective measures which needs to be undertaken, so that, the penetration test can be successful. The steps will also include the process through which the vulnerability analysis will be conducted. It will help in identifying the tools which will be used further during the course of penetration testing. The assignment that’s to be carried out is to create an assault tree in regard to a vulnerability test that’s assumed to be carried out to distinguish different vulnerabilities, which could be existing inside the embraced web server such as an Apache Server to secure the same from different dangers likely to be postured at the organize (Rani and Nagpal 2019). The scope of the infiltration testing too contains the subtle elements of the client. Besides, the entrance analyzer clarifies the client approximately the steps they would be conducting on the organization arrange or web application. The specialized group of the client ought to remain online throughout the method. In case there’s any kind of issue event at that point the penetration testing group will educate the specialized group approximately the issue and it will be resolved as before long as conceivable, so that, the conclusion clients of the net application is not influenced (Almaarif and Lubis 2020). The entrance analyzer should draft a scope of the infiltration test. The scope of the infiltration test would incorporate all the information and data which are required for conducting the infiltration.

OSSTMM

There are fundamentally three sorts of penetration test. The title of the sorts of infiltration test are, dark box entrance testing, white box entrance testing and grey box infiltration testing. Within the occasion of dark box infiltration testing, the entrance analyzer does not have any information almost the organizational organize which they would be misusing (Yadav et al. 2020). They ought to formulate a roadmap, through which they would be able to begin with discover the vulnerabilities show within the framework and after that continue with exploitation. Next, there’s the dim box infiltration testing. In this kind of dim box infiltration testing, the moral programmer knows almost the internet application whose vulnerabilities must be distinguished and after that abused. Consequently, the taking after area clearly portrays the person exercises to be carried out by the gather individuals in specific.

1. Goals of the Task – One of the members within the group will determine the goals of the task. This means that, they will be drafting a plan, which will act as a scope for the penetration test (Johari et al. 2020). Furthermore, the goals of the task will also include the services within the web server which will be exploited during the penetration testing.
2. Information Gathering – Another member of the group, will be assigned with the task of information gathering. The information gathering task will help in understanding the version and types of services the web server is providing to their end users (Kothia, Swar and Jaafar 2019). Also, with the help of information gathering, the tools which will be required in order to perform the penetration test will be selected.
3. Detection of Vulnerabilities – Once the information has been gathered about the web server, multiple group members will use the selected tool in order to detect or identify the vulnerabilities which are present within the web server. The vulnerability analysis will help in understanding which ports or services of the web server are mostly likely to be vulnerable for exploitation.
4. Analysis of Vulnerabilities – Once the vulnerabilities have been detected, analysis needs to be conducted. It will help in understanding the exploitation steps that needs to be considered to perform the penetration test. The vulnerabilities help in understanding the kind of exploitation which can be performed on the web server.

Phase 1 – Planning and Pre – Engagement

Process 1.1 – Strategy for Testing and interaction during Pre – Engagement

Activity 1.1.1 – Scope of Task

• Input – Interview with the client. Also, it would include interaction with the technical team of the organization.
• Function – The definition of penetration testing will be explained. Adding to that, the methodologies which will be used in penetration test will be discussed. Furthermore, the scope of the penetration testing will also be defined with the organization.
• Output – Explanation will be carried regarding the target boundaries, and the methodologies which will be undertaken. Also, the expected outcome for the penetration test will be discussed with the client.
• Resources / Tools – Documentation tools that used in the office.
• Details – The in – scope target needs to be obtained and the legal documents should be obtained from the client.

Phase 2 – Information Gathering

Process 2.1 – Ping Sweeping

Activity 2.1.1 – Identification of Target and Profiling

• Resources / Tools – Nmap
• Input – nmap -sn -O <IP Address of Target>
• Function – The target web server will be scanned to obtain its status and details of the operating system.
• Output – Status of the web server and information about the operating system.
• Details – Verification needs to be conducted to determine whether the target is live.

Activity 2.1.2 – Port Scanning

• Resource / Tools – Nmap
• Input – nmap -A -Pn -sU -sS -T2 -v -p 1-65535 <IP Address of Target>
• Function – The command will scan all the TCP and UDP ports of the target server.
• Output – List of open ports.
• Details – Verification for open ports, which are vulnerable to attack.

Activity 2.1.3 – Banner Grabbing

• Resources / Tools – Nmap
• Input – nmap -sV -script=banner <IP Address of Target>
• Function – Produce additional information of the server and the various services present.
• Output – Details of server running time, DNS record, active and open ports, services, authentication.
• Details – The target web server will be queried to gather more information about the services it provides, along with the data and information which are present.

Phase 3 – Vulnerability Identification and Analysis

Process 3.1 – Vulnerability scanning

Activity 3.1.1 – Identification of Application

• Resources / Tools – Nmap
• Input – nmap -sV –version-intensity 5 <IP Address of Target>
• Function – The version of the applications present in the web server will be exposed.
• Output – List of open and active ports, name of the service and the version of the application.
• Details – The in – scope target will be gathered from the client and the legal documents.

Activity 3.1.2 – Scanning of Vulnerabilities

• Resource / Tools – OpenVAS
• Input – IP Address of Target
• Function – The web server will be scanned in order to identify the vulnerabilities.
• Output – The vulnerabilities present in the web server will be listed out.
• Details – The OpenVAS software application conducts a deep vulnerability scanning on the web server, which helps in identifying the vulnerabilities that present within the web server.

Phase 3.2 – Identification of Vulnerabilities

Activity 3.2.1 – Identification and Validation of Vulnerabilities

• Resources / Tools – CVE and other kinds of vulnerability database
• Input – Versions of Application and Operating System.
• Function – Validation of the present vulnerabilities.
• Output – Vulnerabilities which can be exploited.
• Details – A cross checking will be conducting in order to find out the vulnerabilities that can be exploited based on the version of the Operating system and applications.

Activity 3.2.2 – Create Attack Venues

• Resource / Tools – Research and Documentation
• Input – The protection mechanisms need to be identified, along with that, the testing methodology will be used.
• Function – The testing methodology will be evaluated with the vulnerabilities that has been validated.
• Output – Templates of attack and Attack trees.
• Details – The weakness present within the target will established and probable point of entry.

Phase 4 – Exploitation

Process 4.1 – Customising the exploitation.

Activity 4.1.1 – Brute Force Application

• Resources / Tools – Medusa and Password Dictionary File
• Input – medusa -h <IP address of target> -u <username> -P /path/to/passwordfile.txt -M <service name> -n <port number>
• Function – Probable username and password will be used from the file in order authenticate.
• Output – Username and password have matched.
• Details – All the username and password will be used in order to find the correct credential for the web server.

Activity 4.1.2 – Brute Force with Network Logon.

• Resources / Tools – Ncrack, Password Dictionary File
• Input – ncrack -U <username.txt> -P </path/to/passwordfile.txt> <IP Address of Target>: <port>
• Function – Probable username and password will be used from the file in order authenticate.
• Output- Username and password have matched.
• Details – All the username and password will be used in order to find the correct credential for the web server.

Phase 5 – Post – Exploitation

Process 5.1 – Mitigate Attack Trees

Activity 5.1.1 – Deletion of log data.

• Resources / Tools – All the tools and software application that has been used earlier.
• Input – Web server which has been targeted.
• Function – Delete all digital footprints, after the succession of data breach.
• Output – Resume and restore the target system like it was before.
• Details – Identify and remove the syslog data and information and the login data and information from the target web server.

Phase 6 – Reporting

Process 6.1 – Documentation of the Penetration Test

Activity 6.1.1 – Technical Report.

• Resource / Tools – Text Editor and Screenshot of the penetration test.
• Input – The root cause will be analysed for technical purpose.
• Function – Report all the issues and problems that has been identified from the target web server.
• Output – Detailed penetration report, which will contain all the information about the vulnerabilities that has been found after conducting the penetration testing.
• Details – All the methods and approach that has been used in the data breach will be discussed. The discussion about the penetration test needs to be validated using the screenshots, that must be included into the technical report. The vulnerabilities that have been identified in the target web server also need to be discussed. Lastly, recommendation needs to be provided which will contain the mitigation steps which the organization that perform in order to remove the vulnerabilities from the web server.

Figure 1 – Attack Tree

(Source – Created by Author)

References

Almaarif, A. and Lubis, M., 2020. Vulnerability Assessment and Penetration Testing (VAPT) Framework: Case Study of Government’s Website. International Journal on Advanced Science Engineering and Information Technology, 10(5), pp.1874-1880.

Ankele, R., Marksteiner, S., Nahrgang, K. and Vallant, H., 2019, August. Requirements and recommendations for IoT/IIoT models to automate security assurance through threat modelling, security analysis and penetration testing. In Proceedings of the 14th International Conference on Availability, Reliability and Security (pp. 1-8).

Bhardwaj, A., Shah, S.B.H., Shankar, A., Alazab, M., Kumar, M. and Gadekallu, T.R., 2021. Penetration testing framework for smart contract blockchain. Peer-to-Peer Networking and Applications, 14(5), pp.2635-2650.

PTES

Casola, V., Benedictis, A.D., Rak, M. and Villano, U., 2020. A methodology for automated penetration testing of cloud applications. International Journal of Grid and Utility Computing, 11(2), pp.267-277.

Chaudhary, S., O’Brien, A. and Xu, S., 2020, June. Automated post-breach penetration testing through reinforcement learning. In 2020 IEEE Conference on Communications and Network Security (CNS) (pp. 1-2). IEEE.

Chowdhary, A., Huang, D., Mahendran, J.S., Romo, D., Deng, Y. and Sabur, A., 2020, December. Autonomous security analysis and penetration testing. In 2020 16th International Conference on Mobility, Sensing and Networking (MSN) (pp. 508-515). IEEE.

Gangupantulu, R., Cody, T., Park, P., Rahman, A., Eisenbeiser, L., Radke, D. and Clark, R., 2021. Using cyber terrain in reinforcement learning for penetration testing. arXiv preprint arXiv:2108.07124.

Ghanem, M.C. and Chen, T.M., 2020. Reinforcement learning for efficient network penetration testing. Information, 11(1), p.6.

Goutam, A. and Tiwari, V., 2019, November. Vulnerability Assessment and Penetration Testing to Enhance the Security of Web Application. In 2019 4th International Conference on Information Systems and Computer Networks (ISCON) (pp. 601-605). IEEE.

Hance, J., Milbrath, J., Ross, N. and Straub, J., 2022. Distributed Attack Deployment Capability for Modern Automated Penetration Testing. Computers, 11(3), p.33.

Hatfield, J.M., 2019. Virtuous human hacking: The ethics of social engineering in penetration-testing. Computers & Security, 83, pp.354-366.

Hu, Z., Beuran, R. and Tan, Y., 2020, September. Automated penetration testing using deep reinforcement learning. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 2-10). IEEE.

Ibrahim, A.B. and Kant, S., 2018. Penetration testing using SQL injection to recognize the vulnerable point on web pages. International Journal of Applied Engineering Research, 13(8), pp.5935-5942.

Johari, R., Kaur, I., Tripathi, R. and Gupta, K., 2020, October. Penetration Testing in IoT Network. In 2020 5th International Conference on Computing, Communication and Security (ICCCS) (pp. 1-7). IEEE.

Khera, Y., Kumar, D. and Garg, N., 2019, February. Analysis and Impact of Vulnerability Assessment and Penetration Testing. In 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon) (pp. 525-530). IEEE.

Kissi, M.K. and Asante, M., 2020. Penetration testing of IEEE 802.11 encryption protocols using Kali Linux hacking tools. International Journal of Computer Applications, 176(32), pp.26-33.

Kothia, A., Swar, B. and Jaafar, F., 2019, July. Knowledge Extraction and Integration for Information Gathering in Penetration Testing. In 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C) (pp. 330-335). IEEE.

Lee, T., Wi, S., Lee, S. and Son, S., 2020, February. FUSE: Finding File Upload Bugs via Penetration Testing. In NDSS.

Lu, H.J. and Yu, Y., 2021. Research on wifi penetration testing with kali linux. Complexity, 2021.

Patel, K., 2019, April. A survey on vulnerability assessment & penetration testing for secure communication. In 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI) (pp. 320-325). IEEE.

Rani, S. and Nagpal, R., 2019. Penetration testing using metasploit framework: An ethical approach. Int. Res. J. Eng. Technol, 6(8), pp.538-542.

Shah, M., Ahmed, S., Saeed, K., Junaid, M. and Khan, H., 2019, January. Penetration testing active reconnaissance phase–optimized port scanning with nmap tool. In 2019 2nd International Conference on Computing, Mathematics and Engineering Technologies (iCoMET) (pp. 1-6). IEEE.

Vats, P., Mandot, M. and Gosain, A., 2020, June. A comprehensive literature review of penetration testing & its applications. In 2020 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO) (pp. 674-680). IEEE.

Yadav, G., Paul, K., Allakany, A. and Okamura, K., 2020, January. Iot-pen: A penetration testing framework for iot. In 2020 International Conference on Information Networking (ICOIN) (pp. 196-201). IEEE.

Zhang, N., Arroyo, M., Ciantia, M.O., Gens, A. and Butlanska, J., 2019. Standard penetration testing in a virtual calibration chamber. Computers and Geotechnics, 111, pp.277-289.

Zitta, T., Neruda, M., Vojtech, L., Matejkova, M., Jehlicka, M., Hach, L. and Moravec, J., 2018, December. Penetration testing of intrusion detection and prevention system in low-performance embedded IoT device. In 2018 18th International Conference on Mechatronics-Mechatronika (ME) (pp. 1-5). IEEE.