Security Assessment and Testing - Chapter 15 Security Assessment and Testing
What is a Gray box penetration test?
- also known as partial knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of white and black box penetration tests.
What is a black box penetration test?
- does not provide the attackers with any information prior to the attack.
Dynamic software testing
- evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.
What is TCP SYN scanning?
- it sends a single packet to each scanned port with a SYN flag set. This indicates a request to open a new connection. - if the scanner receives a response that has the SYN and ACK flags set, this indicates the system is moving ot the second phase in the three-way TCP handshake and that the port is open. - TCP SYN scanning is also known as half-open
what is a white box penetration test?
- provides the attackers with detailed information about the systems they target
What is a TCP ACK scan?
- sends a packet with the ACK flag set, indicating that it is part of an open connection
What port is used for POP3?
1110
What port is used for SQL server?
1433
What port is used for Oracle?
1521
What port is used for FTP?
21
What port is used for SSH?
22
What port is used for Telnet
23
What port is used for SMTP?
25
What port is used for RDP?
3389
Web Vulnerability Scanner
Best for SQL injection attacks as they are web attacks
What are the "big four" audit firms?
Ernst & Young, Deloitte & Touche, PricewaterhouseCoopers, KPMG
Open ports and Security
Ports 80 and 443 are expected to be open on a web server. Port 1433 is a database port and should never be exposed to an external network.
Static software testing techniques
e.g. code reviews, evaluate the security of software without running it by analyzing either the source code or the compiled application
categories of fuzz testing
- Mutation (Dumb) Fuzzing - takes previous input values from actual operation of the software and manipulates (or mutates aka bit flipping) it to create fuzzed input. - Generational (intelligent) fuzzing - Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program
Describe the difference between TCP SYN scanning and TCP connect scanning
- TCP SYN scanning sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. - TCP SYN scanning is also known as "half-open" scanning. - TCP connect scanning opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
What is a Xmas Scan?
- sends a packet with the FIN, PSH, and URG flags set. - a packet with so many flags set is said to be "lit up like a Christmas tree"
What is TCP connect scanning?
- this opens a full connection to the remote system on the specified port. - this scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan
What is the purpose of a security test?
- to verify that a control is functioning properly - These tests include automated scans, tool-assisted penetration tests, vulnerability assessments, software testing, audits, and security management tasks designed to validate controls and manual attempts to undermine security
What port is used for NTP?
123
What port is used for H.323?
1720
What port is used for PPTP?
1723
What port is used for HTTPS?
443
What port is used for DNS?
53
What port is used for HTTP?
80
What is known as misuse case testing or abuse case testing?
A process used by software testers to evaluate the vulnerability of their software to known risks. Testers first enumerate the known misuse cases and then attempt to exploit those use cases with manual and/or automated attack techniques. Aka abuse case testing
synthetic transactions
Included under Dynamic Testing, Is scripted transactions with known expected results. The testers run the transactions against the tested code and then compare the output of the transactions to the expected state. deviations between the actual and expected results represent possible flaws in the code and must be further investigated.
Security Management Oversight Tasks
Log reviews, particularly for administrator activities, ensure that systems are not misused. Account management reviews ensure that only authorized users retain access to information systems. Backup verification ensures that the organization's data protection process is functioning properly. Key performance and risk indicators provide a high-level view of security program effectiveness.
3 Port Status Values by Nmap
Open—The port is open on the remote system and there is an application that is actively accepting connections on that port. Closed—The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port. Filtered—Nmap is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt.
What is a security assessment?
Security assessments are comprehensive reviews of the security of a system, application, or other tested environment. does not, however, include actual mitigation of those vulnerabilities
What is a test coverage analysis?
Software testing professionals often conduct a test cover analysis to estimate the degree of testing conducted against new software.
What is bit flipping?
The activity of changing a bit to its opposite value. A technique commonly used in fuzzing to slightly modify input data
What is the most formal code review process and list six steps?
The most formal code review process is know as Fagin inspections 1. planning 2. Overview 3. preperation 4. inspection 5. Rework 6. Follow-up
Nmap
a network discovery scanning tool that reports the open ports on a remote system
Authenticated Scans
has read-only access to the servers being scanned, can read configuration information from the system and use the information when analyzing vulnerability testing results Can improve the accuracy of the scanning and reduce false positive and false negative reports
User interface testing
includes assessments of both graphical user interfaces (GUIs) and command‐line interfaces (CLIs) for a software program.
Metasploit
is an automated exploit tool that allows attackers to easily execute common attack techniques in penetration testing
What is the main work product of a security assessment?
its normally an assessment report addressed to management that contains the results of the assessment in nontechnical language and concludes with specific recommendations for improving the security of the tested environment.
Conducting Security Audits
occurs when a third party performs an assessment of the security controls protecting an organization's information assets. Internal audits are performed by an organization's internal staff and are intended for management use. External audits are performed by a third-party audit firm and are generally intended for the organization's governing body.
PCI DSS Critical Requirement
requires that orgs rescan the application at least annually and after any change in the application
What are the three major components of a security assessment program?
security tests security assessments security audits
Security assessment reports
should be addressed to the organization's management. For this reason, they should be written in plain English and avoid technical jargon.
unauthenticated scans
test target systems without having passwords or other special information that would grant the scanner special privileges Run from the perspective of the Attacker
Vulnerability assessments
use automated tools to search for known vulnerabilities in systems, applications, and networks. These flaws may include missing patches, misconfigurations, or faulty code that expose the organization to security risks
Penetration tests
utilizes attack techniques where an assessor attempts to exploit vulnerabilities and gain access to the system.