As mentioned previously, we concentrate on a process and apply that to our security components when we go about security testing. For this, we describe an abstract methodology here:
A simple abstract methodology consists of the following steps:
- Planning
- Non-intrusive target search
- Intrusive target search
- Remote target assessment
- Local target assessment
- Data analysis
- Reporting
The goal is to develop your process and select a minimum of two tools for each process, which provides the means for you to achieve the desired outcome at each step. Once you have done this, then you can add additional tools as required. The essential component is to have at least two tools to start professional security and penetration testing. For more on this abstract reference, refer to Building Virtual Pentesting Labs for Advanced Penetration Testing.
It is essential that you have a professional security testing plan and methodology before you start your penetration testing; furthermore, the more time you spend planning, the easier the test will be to perform. Without these essential elements, your testing will be unstructured and mostly ad hoc. This is something we want to avoid when it comes to performing penetration testing for a client who has hired us. We have briefly covered a number of methodologies here, and these are only provided as a reference. You are encouraged to build and develop your own methodology; the more time you spend on this, the more you will be rewarded in the end.