The National Institute of Standards and Technology (NIST) has its own set of standards for penetration testing. In NIST Special Publication 800-115, “Guide to Penetration Testing”, NIST outlines the requirements for a successful penetration test.
One of the key requirements for a successful penetration test is that the tester must have a clear understanding of the organization’s network and systems. The tester must also have a thorough understanding of the organization’s security policies and procedures.
In order to gain this understanding, the penetration tester will need to perform some initial reconnaissance. This may include active or passive information gathering techniques. Once the information has been gathered, the tester will need to analyze it and identify potential vulnerabilities.
After the initial reconnaissance and analysis phases have been completed, the penetration tester can begin launching attacks. These attacks can be either automated or manual in nature. During the attack phase, it is important for the tester to remain undetected by the organization’s security systems.
Once the attack has been completed, the penetration tester will then need to analyze the results and prepare a report. This report should include a detailed description of the attacks that were performed, as well as any vulnerabilities that were identified. The report should also include recommendations for remediation.