CISSP Ch 15: Security Assessment and Testing
ISO 27002
*Security controls* based on *industry best practices*.
banner grabbing
-Port scanners, network vulnerability scanners, and web vulnerability scanners use this technique to identify the variant and version of a service running on a system -opens a connection to the service and reads the details provided on the welcome screen, or banner, to assist with version fingerprinting
Control Objectives for Information and Related Technologies (COBIT)
-common framework for conducting audits and assessments -maintained by ISACA -describes the common requirements that organizations should have in place surrounding their information systems
Network Vulnerability Scanning
-go deeper than discovery scans. They don't stop with detecting open ports but continue on to probe a targeted system or network for the presence of known vulnerabilities
nmap
-most common tool used for network discovery scanning -open source -provides status of port: open, closed, filtered
four main categories of vulnerability scans
-network discovery scans -network vulnerability scans -web application vulnerability scans -database vulnerability scans
TCP Connect Scanning
-network discovery technique -Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan
UDP Scanning
-network discovery technique -Performs a scan of the remote system using the UDP protocol, checking for active UDP services. This scan type does not use the three-way handshake, because UDP is a connectionless protocol
TCP ACK Scanning
-network discovery technique -Sends a packet with the ACK flag set, indicating that it is part of an open connection. This type of scan may be done in an attempt to determine the rules enforced by a firewall and the firewall methodology
Xmas Scanning
-network discovery technique -Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be "lit up like a Christmas tree,"
TCP SYN Scanning
-network discovery technique -known as "half-open" scanning. -Sends a single packet to each scanned port with the SYN flag set
Open Vulnerability and Assessment Language (OVAL)
-part of SCAP -provides a language for describing security testing procedures.
Extensible Configuration Checklist Description Format (XCCDF)
-part of SCAP -provides a language for specifying security checklists.
Common Vulnerabilities and Exposures (CVE)
-part of SCAP -provides a naming system for describing security vulnerabilities.
Common Platform Enumeration (CPE)
-part of SCAP -provides a naming system for operating systems, applications, and devices.
Common Configuration Enumeration (CCE)
-part of SCAP -provides a naming system for system configuration issues.
Common Vulnerability Scoring System (CVSS)
-part of SCAP -provides a standardized scoring system for describing the severity of security vulnerabilities
Type II Reports
-type of SOC report -These reports go further and also provide the auditor's opinion on the operating effectiveness of the controls -covers an extended period of time: at least six months of operation -considered much more reliable than Type I reports because they include independent testing of controls
Type I Reports
-type of SOC report -provide the auditor's opinion on the description provided by management and the suitability of the design of the controls -cover only a specific point in time, rather than an extended period
Network discovery scanning
-uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports -scanners do not actually probe systems for vulnerabilities but provide a report showing the systems detected on a network -TCP SYN Scanning -TCP Connect Scanning -TCP ACK Scanning -UDP Scanning -XMAS Scanning
Security Content Automation Protocol (SCAP)
A NIST framework that outlines various accepted practices for automating vulnerability scanning. -common language for describing and evaluating vulnerabilities -CVE, CVSS, CCE, CPE, XCCDF, OVAL
SOC 2 Engagements
Assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. -audit results are confidential and are normally only shared outside the organization under an NDA.
SOC 3 Engagements
Assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. -audit results are intended for public disclosure.
SOC 1 Engagements
Assess the organization's controls that might impact the accuracy of financial reporting.
service organization controls (SOC) audits
SSAE 18 and ISAE 3402 engagements
ISO 27001
The ISO (International Organization for Standardization) 27001 standard is a code of practice for implementing an information security management system, against which organizations can be certified.
Vulnerability scans
automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker
Third-Party Audits
conducted by, or on behalf of, another organization
Internal Audits
performed by an organization's internal audit staff and are typically intended for internal audiences. -the staff performing these audits normally have a reporting line that is completely independent of the functions they evaluate
External Audits
performed by an outside auditing firm. These audits have a high degree of external validity because the auditors performing the assessment theoretically have no conflict of interest with the organization itself
netstat
useful tool for examining the active ports on a system. This command lists all active network connections on a system as well as those ports that are open and awaiting new connections
