Domain 6: Security assessment and testing (11th)
penetration tester
A white hat hacker who receives authorization to attempt to break into an organization's physical or electronic perimeter (sometimes both).
Unit testing
Low-level tests of software components, such as functions, procedures, or objects
Regression testing
Testing software after updates, modifications, or patches.
Security Assessments
holistic approach to assessing the effectiveness of access control These view many controls across multiple domains and may include the following: • Policies, procedures, and other administrative controls • Assessing the real world-effectiveness of administrative controls • Change management • Architectural review • Penetration tests • Vulnerability assessments • Security audits
Partial-knowledge tests
in between zero and full knowledge; the penetration tester receives some limited trusted information.
Misuse Case Testing
models how a security impact could be realized by an adversary abusing the application. This can be seen simply as a different type of use case
Synthetic Transactions (or synthetic monitoring)
• involve building scripts or tools that simulate activities normally performed in an application. • The typical goal of using this is to establish expected norms for the performance of these transactions. • These can be automated to run on a periodic basis to ensure the application is still performing as expected. • These types of transactions can also be useful for testing application updates prior to deployment to ensure that functionality and performance will not be negatively impacted. • This type of testing or monitoring is most commonly associated with custom-developed web applications.
Log Reviews
• one of the easiest ways to verify that access control mechanisms are performing adequately. • this is primarily a detective control. • The intelligence gained from proactive audit log management and monitoring can be very beneficial
Traceability Matrix
• sometimes called a requirements traceability matrix (RTM), can be used to map customers' requirements to the software testing plan • it traces the requirements and ensures that they are being met. It does this by mapping customer usage to test cases.
full-knowledge test
(also called white-box or crystal-box test) provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers
Penetration Testing
(called "pen tests" for short) are designed to determine whether black hat hackers could do the same. They are a narrow but often useful test, especially if the penetration tester is successful. This may include the following tests: • Network (Internet) • Network (internal or DMZ) • War dialing • Wireless • Physical (attempt to gain entrance into a facility or room)
pairwise testing (also called all-pairs testing)
A black-box test design technique in which test cases are designed to execute all possible discrete combinations of each pair of input parameters
Software Testing Levels
It is usually helpful to approach the challenge of testing software from multiple angles, addressing various testing levels from low to high. The software testing levels designed to accomplish that goal are unit testing, installation testing, integration testing, regression testing, and acceptance testing.
Integration testing
Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing is used for all integrated software components.
Installation testing
Testing software as it is installed and first operated
Acceptance testing
Testing to ensure that the software meets the customer's operational requirements.
Correct answer and explanation: *C. Acceptance testing is designed to ensure the software meets the customer's operational requirements.* Incorrect answers and explanations: Answers A, B, and D are incorrect. Integration testing examines multiple software components as they are combined into a working system. Installation testing examines software as it is installed and first operated. Unit testing is a low-level test of software components, such as functions, procedures, or objects.
What can be used to ensure that software meets the customer's operational requirements? a. Integration testing b. Installation testing c. Acceptance testing d. Unit testing
2. Correct answer and explanation: *A. Combinatorial software testing is a blackbox testing method that seeks to identify and test all unique combinations of software inputs.* Incorrect answers and explanations: Answers B, C, and D are incorrect. Dynamic testing examines code while executing it. Misuse case testing formally models how security would be impacted by an adversary abusing the application. Static testing examines the code passively; the code is not running. This form of testing includes walkthroughs, syntax checking, and code reviews.
What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs? a. Combinatorial software testing b. Dynamic testing c. Misuse case testing d. Static testing
4. Correct answer and explanation: *B. Fuzzing is a black-box testing method that does not require access to source code.* Incorrect answers and explanations: Answers A, C, and D are incorrect. All are static methods that require access to source code.
You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible. Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices. The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services. You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application? a. Secure compiler warnings b. Fuzzing c. Static testing d. White-box testing
3. Correct answer and explanation: *D. A flag is a dummy file containing no regulated or sensitive data. It is placed in the same area of the system as the credit card data and protected with the same permissions. If the tester can read and/or write to that file, then they prove they could have done the same to the credit card data.* Incorrect answers and explanations: Answers A, B, and C are incorrect. Answer A is a vulnerability assessment, not a penetration test. Answers B and C are dangerous and could involve unauthorized access of regulated data, such as health care records.
You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible. Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices. The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services. Assuming the penetration test is successful, what is the best way for the penetration testing firm to demonstrate the risk of theft of financial data? a. Instruct the penetration testing team to conduct a thorough vulnerability assessment of the server containing financial data. b. Instruct the penetration testing team to download financial data, redact it, and report accordingly. c. Instruct the penetration testing team that they may only download financial data via an encrypted and authenticated channel. d. Place a harmless "flag" file in the same location as the financial data, and inform the penetration testing team to download the flag.
Correct answer and explanation: C. Attackers will often act more maliciously if they believe they have been discovered, sometimes violating data and system integrity. The integrity of the system is at risk in this case, and the penetration tester should end the penetration test and immediately escalate the issue. Incorrect answers and explanations: Answers A, B, and D are incorrect. The client must be notified immediately, as incident handling is not the penetration tester's responsibility.
You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible. Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices. The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services. During the course of the penetration test, the testers discover signs of an active compromise of the new custom-developed, three-tier web application. What is the best course of action? a. Attempt to contain and eradicate the malicious activity. b. Continue the test. c. Quietly end the test, immediately call the operational IT contact, and escalate the issue. d. Shut the server down.
Combinatorial Software Testing
a black-box testing method that seeks to identify and test all unique combinations of software inputs.
UML (Unified Modeling Language)
a general-purpose, developmental, modeling language in the field of software engineering, that is intended to provide a standard way to visualize the design of a system.
Social engineering
a no-tech or low-tech method that uses the human mind to bypass security controls
Security Audits
a test against a published standard
zero-knowledge test
also called black-box test, is "blind"; the penetration tester begins with no external or trusted information and begins the attack with public information only.
White-box software testing
gives the tester access to program source code, data structures, variables, etc.
Black-box testing
gives the tester no internal details; the software is treated as a black box that receives inputs
Vulnerability scanning
scans a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching
War dialing
uses a modem to dial a series of phone numbers, looking for an answering modem carrier tone. The penetration tester then attempts to access the answering system.
Penetration testers use the following methodology
• Planning • Reconnaissance • Scanning (also called enumeration) • Vulnerability assessment • Exploitation • Reporting
Fuzzing (also called fuzz testing)
• a type of black-box testing that submits random, malformed data as inputs into software programs to determine if they will crash. A program that crashes when receiving malformed or unexpected input is likely to suffer from a boundary-checking issue and may be vulnerable to a buffer overflow attack. • This is typically automated, repeatedly presenting random input strings as command line switches, environment variables, and program inputs. • Any program that crashes or hangs has failed the this.
Test Coverage Analysis
• attempts to identify the degree to which code testing applies to the entire application. • The goal is to ensure that there are no significant gaps where a lack of testing could allow for bugs or security issues to be present that otherwise should have been discovered.
Interface Testing
• primarily concerned with appropriate functionality being exposed across all the ways users can interact with the application. • the goal is to ensure that security is uniformly applied across the various interfaces. • This type of testing exercises the various attack vectors an adversary could leverage.
Static testing
• tests the code passively; the code is not running. • This includes walkthroughs, syntax checking, and code reviews. These tools review the raw source code itself looking for evidence of known insecure practices, functions, libraries, or other characteristics used in the source code. The Unix lint program performs this for C programs.
Dynamic testing
• tests the code while executing it. • security checks are performed while actually running or executing the code or application under review.