M. Ducoste, Rachel Bleiman, T. Nguyen, Aunshul Rege
{"title":"渗透测试小组成功的行业标准的检验","authors":"M. Ducoste, Rachel Bleiman, T. Nguyen, Aunshul Rege","doi":"10.1109/ISEC52395.2021.9764146","DOIUrl":null,"url":null,"abstract":"Penetration testing groups can be used as an ethical proxy to study cybercrime groups, as both parties share the common goal of identifying and exploiting weaknesses in their targets’ systems. Pentesters often use existing industry standards to guide their performance and practices, but little research has investigated how these standards operate in simulated cybersecurity exercises. Using the experiences of college students in the 2018 and 2019 National Collegiate Penetration Testing Competition (CPTC), a simulation of a professional real-world penetration test, this study seeks to further examine pentesting metrics. Metrics from industry standards of pentesting practices are compared to the metrics identified by the CPTC participants, revealed through semi-structured group interviews. Industry metrics include standards, such as methods, information gathering, attack generation, quantity of findings, quality of findings, and reporting of findings. Other additional metrics identified by the CPTC participants include skills of the team, the environment, expectations, and the relationships among group members. This study uses a qualitative methodological approach to examine the metrics of success identified by pentesters as they reflect on their decisions, actions, and performance.","PeriodicalId":329844,"journal":{"name":"2021 IEEE Integrated STEM Education Conference (ISEC)","volume":"58 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"An Examination of Industry Standards of Success within Penetration Testing Groups\",\"authors\":\"M. Ducoste, Rachel Bleiman, T. Nguyen, Aunshul Rege\",\"doi\":\"10.1109/ISEC52395.2021.9764146\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Penetration testing groups can be used as an ethical proxy to study cybercrime groups, as both parties share the common goal of identifying and exploiting weaknesses in their targets’ systems. Pentesters often use existing industry standards to guide their performance and practices, but little research has investigated how these standards operate in simulated cybersecurity exercises. Using the experiences of college students in the 2018 and 2019 National Collegiate Penetration Testing Competition (CPTC), a simulation of a professional real-world penetration test, this study seeks to further examine pentesting metrics. Metrics from industry standards of pentesting practices are compared to the metrics identified by the CPTC participants, revealed through semi-structured group interviews. Industry metrics include standards, such as methods, information gathering, attack generation, quantity of findings, quality of findings, and reporting of findings. Other additional metrics identified by the CPTC participants include skills of the team, the environment, expectations, and the relationships among group members. This study uses a qualitative methodological approach to examine the metrics of success identified by pentesters as they reflect on their decisions, actions, and performance.\",\"PeriodicalId\":329844,\"journal\":{\"name\":\"2021 IEEE Integrated STEM Education Conference (ISEC)\",\"volume\":\"58 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-03-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 IEEE Integrated STEM Education Conference (ISEC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISEC52395.2021.9764146\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE Integrated STEM Education Conference (ISEC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISEC52395.2021.9764146","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
An Examination of Industry Standards of Success within Penetration Testing Groups
Penetration testing groups can be used as an ethical proxy to study cybercrime groups, as both parties share the common goal of identifying and exploiting weaknesses in their targets’ systems. Pentesters often use existing industry standards to guide their performance and practices, but little research has investigated how these standards operate in simulated cybersecurity exercises. Using the experiences of college students in the 2018 and 2019 National Collegiate Penetration Testing Competition (CPTC), a simulation of a professional real-world penetration test, this study seeks to further examine pentesting metrics. Metrics from industry standards of pentesting practices are compared to the metrics identified by the CPTC participants, revealed through semi-structured group interviews. Industry metrics include standards, such as methods, information gathering, attack generation, quantity of findings, quality of findings, and reporting of findings. Other additional metrics identified by the CPTC participants include skills of the team, the environment, expectations, and the relationships among group members. This study uses a qualitative methodological approach to examine the metrics of success identified by pentesters as they reflect on their decisions, actions, and performance.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
