CISSP - Sybex Study Guide - Ch. 15 Security Assessment and Testing - DOMAIN 6: Security Assessment and Testing

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Vulnerabilities / Vulnerability Scans / Four main categories / Web Vulnerability Scanning - Name some web vuln scanners P677

- Acunetix Scanner - Nikto (open source) - Wapiti - Burp Suite

Testing Your Software / Test Coverage Analysis - Name some of the possible formula criteria (1-3) - P 687

- Branch coverage: Has every if statement been executed under all if and else conditions? - Condition coverage: Has every logical test in the code been executed under all sets of inputs? - Function coverage: Has every function in the code been called and returned results?

Describing Vulnerabilities / SCAP - List the 6 components (4-6) P668

- Common Platform Enumeration (CPE) provides a naming system for operating systems, applications, and devices. - Extensible Configuration Checklist Description Format (XCCDF) provides a language for specifying security checklists. - Open Vulnerability and Assessment Language (OVAL) provides a language for describing security testing procedures.

Describing Vulnerabilities / SCAP - List the 6 components (1-3) P668

- Common Vulnerabilities and Exposures (CVE) provides a naming system for describing security vulnerabilities. - Common Vulnerability Scoring System (CVSS) provides a standardized scoring system for describing the severity of security vulnerabilities. - Common Configuration Enumeration (CCE) provides a naming system for system configuration issues.

Testing Your Software / Code Review / Describe the steps for less formal code reviews P 682

- Developers walking through their code in a meeting with one or more other team members - A senior developer performing manual code review and signing off on all code before moving to production - Use of automated review tools to detect common application flaws before moving to production

Testing Your Software / Fuzz Testing / Generational (Intelligent) -Describe P 684

- Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

Testing Your Software / Code Review / Fagan inspection - Describe P682

- Each step has defined entry and exit criteria that must be met before moving onto the next stage. - Fagan normally used in highly restrictive environments where code flaws may have a catastrophic impact.

3 Major Components of a Security Assessment Program / 3 Main Types of Audits / EXTERNAL - What are the BIG FOUR Audit Firms? P666

- Ernst & Young - Deloitte & Touche - PricewaterhouseCoopers - KPMG

Testing Your Software / Code Review / What is the most formal process called? What are the steps? P 682

- Fagan inspections. Six step process: Planning / Overview / Preparation / Inspection / Rework / Follow-up

Implementing Security Management Processes / Log Reviews - Describe P 688

- Logging policies can be deployed via Windows Group Policy Objects (GPOs)

Testing Your Software / Test Coverage Analysis - Name some of the possible formula criteria (4-5) - P 687

- Loop coverage: Has every loop in the code been executed under conditions that cause code execution multiple times, only once, and not at all? - Statement coverage: Has every line of code been executed during the test?

Name some common vulnerability scanners P675

- Nessus / QualysGuard / Rapid7's NeXpose - OpenVAS (open source) - Aircrack (scan wireless networks)

Implementing Security Management Processes / Log Reviews - What log is particularly useful when investigating security incidents? P 688

- Network Flow logs (NetFlow) - they provide records of the connections between systems and the amount of data transferred

Describe SCAP

- Provides a common framework for discussion

Implementing Security Management Processes / Account Management / Account privilege review / Sampling - Only works if it's what? P 689

- Random - Don't allow sys adminis to generate the sample or use nonrandom criteria to select accounts for review, or you may miss entire categories of users where errors may exist

Testing Your Software / Website Monitoring / Passive Monitoring - What is a variant of passive monitoring?

- Real user monitoring (RUM) - the monitoring tool reassembles the activity of individual users to track their interaction with a website

3 Major Components of a Security Assessment Program / Audits - What is the main work, or end product of an Audit?

- Reports that are intended for different audiences than tests or assessments are for - may include an orgs board of directors, gov regulators...

Testing Your Software / Dynamic Testing - Describe P 683

- Tests in a runtime environment (while program is running) - Often used by orgs using apps written by someone else, where they don't have access to the source code.

Testing Your Software / Static Testing - Describe P 683

- Tests software without running it - analyzes either source code or the compiled application - usually involves the use of automated tools that detect flaws (buffer overflows, etc...)

What provides a common standard to be used by auditors performing assessments of service organizations with the intent of allowing the organization to conduct an external assessment instead of multiple third-party assessments and then sharing the resulting report with customers and potential customers?

- The Statement on Standards for Attestation Engagements document 16 (SSAE 16), "Reporting on Controls"

Vulnerability Management Workflow - Describe P678

- Three step approach to managing vulnerabilities 1) Detection - normally result of a scan 2) Validation - make sure not a FP 3) Remediation - patch, config, etc...

What is the goal of a vulnerability management workflow? P679

- To ensure that vulns are detected and resolved in an orderly fashion. - should also include steps that prioritize vuln remediation based on severity of the vuln, likelihood of exploitation, and difficulty of remediation

Testing Your Software / Dynamic Testing - What's a common example?

- Use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications.

Vulnerabilities / Vulnerability Scans / Four main categories / Network Discovery Scanning - Describe P669

- Uses TCP SYN, Connect, ACK, and Xmas scanning to detect if ports are opened - checks if a port is open or closed and stops.

Testing Your Software / Website Monitoring / Passive Monitoring - Describe P 687

- analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server. - provides real-world monitoring data that provides administrators with insight into what is actually happening on a network.

3 Major Components of a Security Assessment Program / 3 Main Types of Audits / THIRD-PARTY - Describe P666

- are conducted by, or on behalf of, another org

Penetration Testing - Describe P679

- attempts to exploit system

3 Major Components of a Security Assessment Program / Testing - Includes what? P662

- automated scans - tool-assisted penetration tests - manual attempts to undermine security

Testing Your Software / Fuzz Testing / What is it called when input is slightly manipulated? P 684

- bit flipping

Testing Your Software / Interface Testing - Describe P 686

- complex applications use multiple teams to each work on separate modules - interface testing ensures these modules will work together - assesses the interactions between components and users

3 Major Components of a Security Assessment Program / Assessments - Describe P664

- comprehensive reviews of the security of a system, application, or other tested environment - a trained information security professional performs a risk assessment that identifies vulnerabilities - include a thoughtful review of the threat environment, current and future risks, and value

Implementing Security Management Processes / Log Reviews - Why should periodically log reviews be conducted? P 688

- ensure that privileged users are not abusing their privileges - ex: ADMs have access to a eDiscovery tool that allows searching through contents of user files. Need to make sure this isn't being abused and violate user privacy

Implementing Security Management Processes / Account Management / These reviews ensure what? Who carries this out? P 689

- ensure that users only retain authorized permissions and that unauthorized modifications do not occur - Security management personnel or internal auditors

Testing Your Software / Misuse Case Testing - How do testers test for this? P 686

- first enumerate the known misuse cases - then attempt to exploit those use cases with manual and/or automated attack techniques

Vulnerabilities / Vulnerability Scans / Four main categories / Network Vulnerability Scanning - Describe P673

- goes deeper than discovery scans - also probes for vulnerabilities

Testing Your Software / Misuse Case Testing - Describe P 686

- in some apps, there are clear examples of ways that software users might attempt to misuse the app. - evaluate the vulnerability of their software to these known risks.

Implementing Security Management Processes - Describe P 688

- management processes designed to oversee the effective operation of the information security program

3 Major Components of a Security Assessment Program / 3 Main Types of Audits / INTERNAL - Describe P665

- performed by an orgs internal audit staff and are typically intended for internal audiences

3 Major Components of a Security Assessment Program / 3 Main Types of Audits / EXTERNAL - Describe P666

- performed by an outside auditing firm - these audits have a high degree of external validity because the auditors performing the assessment have no conflict of interest with the org

Testing Your Software / Website Monitoring / Synthetic monitoring (aka active monitoring) - Describe P 687

- performs artificial transactions against a website to assess performance. This may be as simple as requesting a page from the site to determine the response time, or it may execute a complex script designed to identify the results of a transaction.

Implementing Security Management Processes / Backup Verification - What should managers check for? P 689

- periodically inspect the results of backups (reviewing logs, inspecting hash values, or requesting an actual restore of a system or file.) - monitor key performance and risk indicators

Vulnerabilities / Vulnerability Scans / Four main categories / Database Vulnerability Scanning - Describe P677

- scans both databases and web applications. Web applications are commonly the vector used to gain accesses to dbs.

Vulnerabilities / Vulnerability Scans / Four main categories / Web Vulnerability Scanning - Describe

- scans web applications - web applications typically have privileged access to underlying dbs.

Testing Your Software / Dynamic Testing - May include the use of what type of transaction? P684

- synthetic transactions - these are scripted transactions with known expected results.

Testing Your Software / Test Coverage Analysis - Describe P 686

- too many ways an app might malfunction or be attacked so this - determines HOW much testing should an application receive - bases testing on what the app is meant to be used for / how complex it is.

3 Major Components of a Security Assessment Program / Audits - Describe P665

- use many of the same techniques followed during security assessments but must be performed by independent auditors

3 Major Components of a Security Assessment Program / Testing - Describe

- verifies that a control is functioning properly - should be done on a regular schedule

Implementing Security Management Processes / Account Management / One method is to conduct a full review of accounts. When would this be ideal? P 689

- when the accounts are highly privileged - CONS: takes a lot of time

Testing Your Software / Fuzz Testing / Mutation - Which tool is commonly used? What does it do? P684

- zzuf - slightly changes expected input

Testing Your Software / Interface Testing - Name the 3 interface testing types P 686

1) Application Programming Interfaces (APIs) 2) User Interfaces (UIs) 3) Physical Interfaces

3 Major Components of a Security Assessment Program / Audits - What are the 3 main types? P665

1) Internal 2) External 3) Third-party

Testing Your Software / Fuzz Testing - What are the two main categories? P684

1) Mutation (Dumb) Fuzzing 2) Generational (Intelligent) Fuzzing

Vulnerabilities / Vulnerability Scans - What are the four main categories? P669

1) Network discovery scans 2) Network vulnerability scans 3) Web application vulnerability scans 4) Database vulnerability scans

Testing Your Software / Website Monitoring - What are the two forms? P 687

1) Passive monitoring - detects after event occurs 2) Synthetic monitoring - useful at detecting issues before they occur.

What are the 3 major components of a security assessment program? P662

1) Security tests 2) Security assessments 3) Security audits

3 Major Components of a Security Assessment Program / 3 Main Types of Audits / THIRD-PARTY / What are the two SSAE 16 Reports?

1) Type 1 - Org describes their controls to auditor. Cover a single point in time and do not involve actual testing of the controls by auditor. 2) Type 2 - Covers a minimum 6 month time period. Auditor actually tests controls and reports on results.

Penetration Testing - What are the three categories / groups of tests? P681

1) White box - attacker is given detailed info 2) Gray box - attacker has some info. Good when black box results are desired, but costs or time constraints mean some knowledge is given. 3) Black box pen test - attacker given no info

Implementing Security Management Processes - Name some of these security management reviews P 688

1) log reviews 2) account management 3) backup verification 4) key performance and risk indicators

Implementing Security Management Processes / Account Management / Account privilege review - Give an example of what this process might entail. P 689

1. Managers monitor system administrators as they provide a list of users with privileged access and rights. 2. Managers ask the privilege approval auth to provide a list of auth users and their privileges 3. The managers then compare the two lists to ensure that only auth users retain access to the system and each user does not exceed their auth

Describe ISO 27001 and 27002

27001: Describes a standard approach for setting up an information security management team 27002: goes into more detail on the specifics of info security controls. - Both are internationally recognized standards.

3 Major Components of a Security Assessment Program / Auditing Standards - What is a common auditing and assessment framework? P667

COBIT

Testing Your Software / Interface Testing / UIs - Describe P 686

Ex. include graphic user interfaces (GUIs) and command-line interfaces. UIs provide end users with the ability to interact with the software. Interface tests should include reviews of all user interfaces to verify that they function properly.

Testing Your Software / Interface Testing / Physical Interfaces - Describe P 686

Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.

Testing Your Software / Name some application tests

Interface Testing Misuse Case Testing Test Coverage Analysis Fuzz Testing Static Testing Dynamic Testing

Testing Your Software / Interface Testing / Why test interfaces?

Interface testing provides an added degree of assurance that interfaces meet the organization's security requirements.

Assessments and Tests are meant for internal or external (or both) use?

Internal only

Implementing Security Management Processes / Account Management / Can portions of the account review process be automated? If so, how? P 689

Many Identity and Access Management (IAM) vendors provide account review workflows that prompt admins to conduct reviews, maintain docs for user accounts, and provide an audit trail showing the completion of reviews.

Penetration Testing - What is a commonly used tool that automatically executes exploits against a targeted system? P679

Metasploit

Testing Your Software / Fuzz Testing / Mutation (Dumb) - Describe

Modifies known inputs to generate synthetic inputs that may trigger unexpected behavior.

What NIST offers a special publication that describes best practices in conducting security and privacy assessments ?

NIST SP 800-53A

Implementing Security Management Processes / Log Reviews - Logging systems should make use of what? P 688

NTP (Network Time Protocol)

3 Major Components of a Security Assessment Program / Assessments - Only conducted by external team?

No, internal can perform as well.

Implementing Security Management Processes / Backup Verification - What are some Key Performance and Risk Indicators? P 690

Number of open vulnerabilities / Time to resolve vulnerabilities / Vulnerability/defect recurrence / Number of compromised accounts / Number of software flaws detected in preproduction scanning / Repeat audit findings / User attempts to visit known malicious sites

Penetration Testing - What are some industry standard methodologies for pen testing? P681

OWASP Testing Guide / oSSTMM / NIST 800-115 / FedRAMP Penetration Test Guidance / PCI DSS Information Supplement on Pen Testing

Testing Your Software / Interface Testing / APIs - Describe P 686

Offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test APIs to ensure that they enforce all security requirements.

Testing Your Software / Website Monitoring / What does Passive monitoring excel in? Active Monitoring?

PASSIVE: useful in troubleshooting issues identified by users because it can capture traffic related to the issue. ACTIVE: capable of detecting issues before they occur.

PERFORMING VULNERABILITY ASSESSMENTS - Describe P668

Performing vulnerability scans and penetration tests

Penetration Testing - What are the 5 Phases? P679

Planning / Information gathering and discovery / Vulnerability scanning / Exploitation / Reporting

Implementing Security Management Processes / Account Management / Account privilege review - Orgs that do not have time to thoroughly conduct this process can do what? P 689

Sampling

Testing Your Software / Website Monitoring - Describe P 687

Security professionals also often become involved in the ongoing monitoring of websites for performance management, troubleshooting, and the identification of potential security issues.

Vulnerabilities / Vulnerability Scans / Four main categories / Database Vulnerability Scanning - Name a common tool used P678

Sqlmap

What gives the security community with a common set of standards and language for describing and evaluating vulnerabilities? P668

The Security Content automation Protocol (SCAP)

Testing Your Software / Website Monitoring / Which monitoring is often used most? P 687

They are frequently used together because they achieve different results.

Testing Your Software / Fuzz Testing - What are its limitations? P 684

Typically doesn't result in full coverage of the code and is commonly limited to detecting simple vulnerabilities that do not require complex manipulation of business logic

Vulnerabilities / Vulnerability Scans / Four main categories / Network Vulnerability Scanning - By default runs what type of scans? P674

Unauthenticated scans, meaning they test the target systems w/o having pws or other privileged information or access.

Testing Your Software / Misuse Case Testing - Give an example P 686

Users of banking software might try to manipulate input strings to gain access to another user's account. They might also try to withdraw funds from an account that is already overdrawn.

3 Major Components of a Security Assessment Program / Assessments - What is the main work, or end product of an assessment? P664

normally an assessment report addressed to management that contains the results of the assessment in nontechnical language and concludes with specific recommendations for improving the security

Testing Your Software / Test Coverage Analysis - What is the formula used? P 686

test coverage = number of use cases tested / total number of use cases


Ensembles d'études connexes

Age Lecture 12-Identity & the Self

View Set

Therapeutic Communication (EAQ's)

View Set

practice test for science unit 3 test

View Set

Chapter 14: Bonds and Long-Term Notes

View Set

International Trade, Transport and Logistics Exam

View Set