Chapter 5: Security Assessment and Testing
Pen Testing Teams (3)
1. Red Team (the attackers who attempt to gain access to the systems) 2. Blue team (defenders who must secure systems and networks from attacks) 3. White team (observers and judges)
3 techniques of application scanning
1. Static Testing (analyzes code without executing it) 2. Dynamic Testing (executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities) 3. Interactive Testing (combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces)
2 key decisions when implementing encryption
1. The algorithm to use to perform encryption and decryption 2. The encryption key to use with that algorithm
Pen Testing Types (3)
1. White-Box Tests (tests performed with the full knowledge of the underlying technology, configurations, and settings that make up the target) 2. Black-box Tests (intended to replicate what an attacker would encounter -- attackers are not provided with access to or information about an environment) 3. Gray-box Tests (some information about the environment is known, but full access, credentials, or configuration details is not given to the tester)
Common Vulnerability Scoring System (CVSS)
A SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity.
Extensible Configuration Checklist Description Format (XCCDF)
A language for specifying checklists and reporting checklist results
Open Vulnerability and Assessment Language (OVAL)
A language for specifying low0level testing procedures used by checklists
Nikto
A popular web application scanning tool
Arachni
A popular web application scanning tool (available for windows, mac, and Linux)
War Driving
An attacker drives by facilities in a car equipped with high-end antennas and attempt to eavesdrop on or connect to wireless networks
Telnet
An insecure protocol used to gain command-line access to a remote server
Risk apppetite
An organization's willingness to tolerate risk within the environment
Penetration Testing
Authorized, legal attempts to defeat an organization's security controls and perform unauthorized activities. These tests are time-consuming and require staff who are equally skilled and determined as the real-world attackers.
Attack vector metric
Describes how an attacker would exploit the vulnerability (physical, local, adjacent network, network)
Attack complexity metric
Describes the difficulty of exploiting the vulnerability (high, low)
Privileges required metric
Describes the type of account access that an attacker would need to exploit a vulnerability
Availability metric
Describes the type of availability disruption that might occur if an attacker successfully exploits the vulnerability
Confidentiality Metric
Describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerabiility
CVSS Impact Sub-Score (ISS)
ISS = 1 - [(1 - Confidentiality) x (1 - Integrity) x (1 - Availability)]
Weak configuration settings
Open permissions Unsecured root accounts Errors Weak encryption settings Insecure protocol use Default settings Open ports and services
Common Platform Enumeration (CPE)
Provides a standard nomenclature for describing product names and versions
Common Vulnerabilities and Exposures (CVE)
Provides a standard nomenclature for describing security-related software flaws
Common Configuration Enumeration (CCE)
Provides a standard nomenclature for discussing system configuration issues
Common Vulnerability Scoring System (CVSS)
Provides a standardized approach for measuring and describing the severity of security-related software flaws
File Transfer Protocol (FTP)
Provides the ability to transfer files between systems but does not incorporate security features (should not be used)
Factors to consider when determining how often to conduct vulnerability scans
Risk appetite Regulatory requirements Technical constraints Business constraints Licensing limitations
Credentialed scan
Scan in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network.
Application Scanning
Scanner that analyzes custom-developed software to identify common security vulnerabilities
Infrastructure (Network) Vulnerability Scanning
Scanners capable of probing a wide range of network-connected devices for known vulnerabilities. They reach out to any systems connected to the network, attempt to determine the type of device and its configuration, and then launch targeted tests designed to detect the presence of any known vulnerabilities on those devices Ex: Tenable's Nessus, Qualys, Rapid7's Nexpose, OpenVAS (open source)
Web Application Scanning
Scanners used to examine the security of web applications. Test for web-specific vulnerabilities, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
Secure Shel (SSH)
Secure replacement for Telnet when seeking to gain command-line access to a remote system
Secure File Transfer Protocol (SFTP) and FTP-Secure (FTPS)
Secure replacements for FTP when transferring files between systems
Agent-based scan
Vulnerability scan where the administrators install small software agents on each target server. These agents conduct scans of the server configuration, providing an "inside-out" vulnerability scan, and then report information back to the vulnerability management platform for analysis and reporting
Purple teaming (pen testing)
When the red and blue teams of a pen test exercise come together at the end to talk about lessons learned
Integrity metric
describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability
User interaction metric
describes whether the attacker needs to involve another human in the attack
Scope metric
describes whether the vulnerability can affect system components beyond the scope of the vulnerability.
