Penetration Testing

Penetration testing is a testing approach that mimic real-world attacks in an attempt to identify ways to circumvent security features of an application, system, or network[DMD5]. The simulated attack helps to check for exploitable vulnerabilities.

Method Purpose Short description of the method's purpose and main benefits

Method description A detailed description of the method

There are plenty of different techniques in data manipulation where MiTM, DoS and ARP poisoning are emerging and commonly exploited. MiTM or called with other name person-in-the-middle (PITM) is a cyber-attack technique. Basically, in this technique, the attacker positioning himself between two sides of communication for listening and resolving any information in communication [DMD1]. DoS (a Denial-of-Service) attack is a cyber-attack in which the perpetrator aims to make a machine or network resource unavailable to its intended users by temporarily or permanently disrupting services of a host connected to the Internet [DMD2, DMD3]. ARP is a communication protocol for link layer in ISO reference model at RFC 826 [DMD1]. ARP Poisoning is called with different names like, ARP spoofing, ARP cache poisoning, or ARP poison routing. It is a technique by which an attacker sends (spoofed) ARP messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead [DMD1, DMD4]. Industrial systems can be tested to detect these issues.

Method Strengths A listof the strengths of the method

Ability to apply real world attacks
Relatively shorter test duration compared to model‑based and simulation‑based approaches

Method Limitations The limitations of the method

Test can be carried out after full commissioning.
Possible side effects on other IT systems.
Not include zero‑day vulnerabilities.

Method References Bibliography references to papers about the method.

[DMD1] Yang, Y., McLaughlin, K., Littler, T., Sezer, S., Im, E. G., Yao, Z. Q., & Wang, H. F. (2012).: Man-in-the-middle attack test-bed investigating cyber-security vulnerabilities in smart grid SCADA systems.
[DMD2] Bechtsoudis, A., & Sklavos, N. (2012). Aiming at higher network security through extensive penetration tests. IEEE latin america transactions, 10(3), 1752-1756.
[DMD3] Denial-of-service attack. https://en.wikipedia.org/wiki/Denial-of-service_attack.
[DMD4] Denis, M., Zena, C., & Hayajneh, T. (2016, April). Penetration testing: Concepts, attack methods, and defense strategies. In 2016: IEEE Long Island Systems, Applications and Technology Conference (LISAT) (pp. 1-6). IEEE.
[DMD5] Nist. (2008, September). NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment. Available at: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-115.pdf

Method Dimensions

Evaluation Environment Type Type of environment where the method is applied. It can be more than one type of environment. (Dimension 1)

Evaluation Type Type of evaluation performed with that method. If a method is hybrid, more than one type can be selected. (Dimension 2)

Type of Component Under Evaluation Type of components that can be evaluated with that method. It can be more than one type. (Dimension 3)

Evaluation Stage The evaluation stage where the method is used. (Dimension 5)

Purpose of the Component Under Evaluation The type of purpose that can be evaluated by a method. It can be more than one type. (Dimension 6)

Type of Requirement Under Evaluation The type of requirements that a method is able to evaluate. It can be more than one type. (Dimension 7)

Evaluation Performance Indicator The type of evaluation criteria or KPI that a method is able to improve. It can be more than one type. (Dimension 8)

Relations

Related Methods A method could be related to other methods.

Tools A method can use zero or more tools.

Part Method A method (when it is a combination: Combination of method artefact that is a specialization of a V&V Method) could be composed of a set of V&V Methods.

Test Case or Verification and Validation activity Test Case or V&V activity performed in a Use Case. We will link to the method to the test cases where the method is used.

Standards A method can be linked with standards.

Context

Workflow

Contents

There are currently no items in this folder.