What is the Penetration Testing Execution Standard (PTES)?
The Penetration Testing Execution Standard, or PTES, is a standard that was developed and continues to be enhanced by a group of information security experts from various industries. PTES provides a minimum baseline for what is required of a penetration test, expanding from initial communication between client and tester to what a report includes.
The goal of PTES is to provide quality guidance that helps raise the bar of quality for penetration testing. The standardization of penetration testing procedures helps organizations better understand the services they are paying for and gives penetration testers accurate direction on what to do during a penetration test.
The 7 Stages of PTES
The PTES methodology is a structured approach to penetration testing balancing guided phases with organizational vulnerabilities. The standard is organized in sections that define what should be included in a quality penetration test.
PTES defines penetration testing in seven phases:
- Pre-Engagement Interactions: Penetration testers will prepare and gather the required tools, OS, and software to begin the penetration test. The required tools vary depending on the type and scope of engagement but will be defined by a quality penetration tester at the start of any penetration test.
- Intelligence Gathering: The organization being tested will provide the penetration tester with general information about in-scope targets, and the tester will gather additional details from publicly accessible sources. This step is especially valuable in network penetration testing.
- Threat Modeling: Threat modeling is a process for prioritizing where remediation strategies should be applied to keep a system secure. PTES focuses on business assets, business processes, threat communities, and their capabilities as key elements of threat modeling.
- Vulnerability Analysis: Penetration testers are expected to identify, validate, and evaluate the security risks posed by vulnerabilities. This analysis of vulnerabilities aims to find flaws in an organization’s systems that could be abused by a malicious individual.
- Exploitation: This phase of a penetration test involves the exploitation of identified vulnerabilities in an attempt to breach an organization’s system and its security. Since the vulnerability analysis phase was completed in a quality manner, the next step is to test those entry points into the organization that are weak.
- Post-Exploitation: After the testing is complete, the penetration tester must consider the value of the compromised machine and its usefulness in further compromising the network.
- Reporting: An executive-level and technical-level report will be delivered covering what was tested, how it was tested, what vulnerabilities were found, and how the penetration tester found those weaknesses. The report should provide your organization with helpful guidance on how to better your information security practices.
The main segments of PTES provide a detailed dive into the purpose and expectations of penetration testing. For many organizations, the ins and outs of penetration testing are confusing. Because of standards such as PTES, you can get a better idea of what to expect when a penetration tester hunts for your organization’s vulnerabilities.
PTES influences the penetration testing methodology of many auditing firms across the industry. It’s through these standards that information security experts can develop a well-working, quality system that detects your greatest vulnerabilities and reports on ways to improve your information security processes.
At KirkpatrickPrice, we understand that keeping your data secure is important to your organization. That’s why our expert team of penetration testers work hard to stay up to date on industry standards, so you can focus on increasing the security of your organization. Contact us for more information on our quality penetration testing.