For performing manual penetration testing, a consistent standard approach is used. It includes the following stages:
This stage includes collecting requirements, determining the scope, strategies, and objectives of testing in accordance with security standards. In addition, it may contain an assessment of areas to be tested, types of planned tests and other related checks.
At this stage, testers collect and analyze the most detailed information about system and related security attributes useful for targeting and attacking each block. There are two forms of collecting and analyzing information: passive and active exploring (in the first case, direct interaction with the system is not intended).
At this stage, testers identify and detect vulnerable areas of the system, which will later be used to enter and attack using penetration tests.
The actual penetration test involving internal and external attacks. External attacks are emulated attacks from the outside (for example, obtaining unauthorized access to functions and data related to public applications and servers). Internal attacks begin after the intrusion of authorized objects into the system or network and represent various actions that can intentionally or unintentionally compromise the system.
At this stage, an analysis of each attack on the system. The goals and objectives of the attack are evaluated, as well as its potential impact on systemic and business processes.
In general, reports are compiled at each stage of testing, and documentation is written for the entire event. It can also describe various risks, identified problems, vulnerable areas and proposed solutions to fix the issues found.