Penetration Taxonomy: A Systematic Review on the Penetration Process, Framework, Standards, Tools, and Scoring Methods

Abstract

Cyber attackers are becoming smarter, and at the end of the day, many novel attacks are hosted in the cyber world. Security issues become more complex and critical when the number of services and subscribers increases due to advanced technologies. To ensure a secure environment, cyber professionals suggest reviewing the information security posture of the organization regularly via security experts, which is known as penetration testing. A pen tester executes a penetration test of an organization according to the frameworks and standardization guidelines. Security breaches of the system, loopholes in OS or applications, network vulnerabilities, and breaking data integration scopes are identified, and appropriate remediation is suggested by a pen tester team. The main aim of a penetration process is to fix the vulnerabilities prior to the attack in tangible and intangible resources. Firstly, this review work clarifies the penetration conception and is followed by the taxonomy of penetration domains, frameworks, standards, tools, and scoring methods. It performs a comparison study on the aforementioned items that develops guidelines for selecting an appropriate item set for the penetration process according to the demand of the organization. This paper ends with a constructive observation along with a discussion on recent penetration trends and the scope of future research.