Chapter 6 - Security Assessment and Testing
Information System Security Audit Process
1) Determine the goals 2) Involve the right business unit leaders 3) Determine the scope 4) Choose the audit team 5) Plan the audit 6) Conduct the audit 7) Document the results 8) Communicate the results to target audience
Five Steps of a Penetration Test
1) Discovery 2) Enumeration 3) Vulnerability mapping 4) Exploitation 5) Report to management
Vulnerability Testing Goals
1) Evaluate the true security posture of an environment 2) Identify as many vulnerabilities as possible, with honest evaluations and prioritizations of each 3) Test how systems react to certain circumstances and attacks, to learn not only what the known vulnerabilities are, but also how the unique elements of the environment might be abused Note: Before the scope of the test is agreed upon, the tester must explain the testing ramifications. Vulnerable systems could be knocked offline by some of the tests, and production could be negatively affected by the loads the tests place on the system.
Code Review Process
1) Identify the code to be reviewed 2) The team leader organizes the inspection and makes sure everyone has access to the correct version of the source code, along with all supporting artifacts. 3) Everyone prepares for inspection by reading through the code and making notes 4) All the obvious errors are collated offline so they don't have to be discussed during the inspection 5) If everyone agrees the code is ready for inspection, then the meeting goes ahead. 6) The team leader displays the code via an overhead projector so everyone can read through it. Everyone discusses bugs, design issues, and anything else that comes up. A scribe writes everything down. 7) Everyone agrees on a disposition (Passed, Passed with Rework, Reinspect) 8) After the meeting the author fixes and mistakes and checks in a new version. 9) If the disposition was Passed with Rework then a team leader checks off the bugs that the scribe wrote 10) If the disposition was a Reinspect then the team leader goes back to Step 2.
Emergency Response Priorities
1) Protection if life is highest priority. Should be dealt with first. 2) If the situation isn't life threatening, systems should be shut down in an orderly fashion, and critical data files or resources should be removed during evacuation. 3) Interface with external entities (shareholders, media, civic officials, etc.) Note: A company is at its most vulnerable right after a large disturbance.
*Interface Testing
A Systematic evaluation of a given set of exchange points. The test should include known good exchanges and known bad exchanges. A special case of Integration Testing.
*Metric
A derived value that is generated by comparing multiple measurements against each other or against a baseline.
*Pretexting
A form of social engineering in which an attacker invents a believable scenario in an effort to persuade the target to violate a security policy.
Test Coverage
A measure of how much of a system is examined by a specific test, typically expressed as a percentage.
*Baseline
A measurement of a factor that provides a reference point or denotes that some condition is met be achieving some threshold.
External Audits
A second-party audit conducted by (or on behalf of) a business partner.
Misuse Case Testing
A use case that includes threat actors and the tasks they want to perform on the system.
Modifying Accounts
Adding, removing, or modifying the permissions that a user has should be a carefully controlled and documented process.
&Simulation Test
All employees who participate in operational and support functions come together to practice executing the disaster recovery plan based on a specific scenario in order to test the reaction of each operational representative. Cons: Takes a lot more planning and people.
*Factor
An attribute of the ISMS that can be described as a value that can change over time. (e.g. The number of alerts generated by an IDS.)
Virtual Machine Snapshot
An instantaneous backup strategy in which you save the state of a VM. This strategy lends itself to automation.
*Indicator
An interpretation of one or more metrics that described an element of effectiveness of the ISMS.
War dialing
Attackers dial large blocks of telephone numbers in search of available modems.
Compliance Audit
Audit to demonstrate compliance with a regulation or standard (e.g. Sarbanes-Oxley Act)
&Testing and Revising the BCP
BCP should include DRP. Maintenance of BCP should be incorporated into Change Management. Tests and disaster recovery drills should be performed at least once a year.
Backup Verification
Backup verification frequency is driven by the risk management process. Requires an inventory of data which will be a living document. Backup Test Steps: 1) Develop Scenarios 2) Develop a Plan 3) Leverage Automation 4) Minimize Impact on Business 5) Ensure Coverage 6) Document the Results 7) Fix or Improve Issues
Three Box Types
Black Box: No knowledge of the system White Box: Complete knowledge of the system Gray Box: Some knowledge of the system
Blind, Double-blind, and Targeted Tests
Blind: Assessors only have publicly available data to work with. The network security staff is aware that this type of test is taking place Double-blind: Assessors only have publicly available data to work with. The network security staff is NOT aware that this type of test is taking place Targeted: Involves external consultants and internal staff carrying out focused tests on specific areas of interest.
Third-party Audits
Common when you need to demonstrate compliance with some government regulation or industry standard. Pros: 1) Will bring knowledge to the organization that it wouldn't otherwise be able to acquire. 2) Unaware of internal dynamics and politics Cons: 1) Cost
Three Ways to Achieve Privilege Elevation
Compromise an existing privileged account Create a new privileged account Elevate the privileges of a regular account
&Checklist Test (Desk Check Test)
Copies of DRP and BCP are distributed to the different departments and functional areas for review. Each functional manager reviews the plan and indicates if anything has been left out or if some approaches should be modified or deleted
Log Review
Examination of system log files to detect security events or to verify the effectiveness of security controls. Should use NTP.
File Descriptor Attacks (Definition and Countermeasure)
File Descriptors are number many OSs use to represent open files in a process. If an program makes unsafe use of a file descriptor, an attacker may be able to cause unexpected input or cause output to go to an unexpected place Countermeasure: Good programming practices, automated source code scanners, application security tests
*Technical Audit Report and 6 Components
Goal is to persuade management to take whatever actions are needed to balance risks and business functions. Should tell a story for the intended audience. Components: Executive Summary: No more than a page or two summarizing what executives need to know. Background: Explain why the test was conducted Methodology: Describe the process of the test Findings: Results of test Recommendations: "Now what?" from analysis Appendices: Supplementary info
Symbolic Links (Definition and Countermeasure)
If a program uses a symbolic link and an attack can compromise the symbolic link he can gain unauthorized access to sensitive system files. Countermeasure: Programs and scripts must be written to ensure that the full path to the file cannot be circumvented.
File and Directory Permissions (Definition and Countermeasure)
Inappropriate file or directory permissions. Either through oversight from the administrator or a vulnerability in access control Countermeasure: File integrity checks, which should also check file and directory permissions
Network Time Protocol (NTP)
Industry standard for synchronizing computer clocks between network devices. Defines a prioritization strata where devices at one strata get time from devices in a high strata. Top stratas include GPS clocks, cesium fountain, etc.
Centralizing Logs
Log files by default are stored locally. This makes it difficult to correlate events across devices, Also it makes it easier for attackers to alter the log files of whatever devices the compromise. By centralizing logs both issues are addressed and it makes long-term archiving easier.
Replication (For Logging)
Making multiple log copies and keeping them in separate locations.
*Key Risk Indicators (KRIs)
Metrics that provide an early signal of increasing risk exposures in the various areas of an enterprise. Measures how badly things could go in the future. Typically not specific to a department, but rather affect multiple aspects of the organization. Very high business impact. A KRI will change over time as conditions change.
Reasons to Suspend an Account
Most common is when an employee is terminated or otherwise left the organization. Others include reaching the account's expiration date and extended absence.
Simplex Communication (For Logging)
One-way communication for log files. Data diode: Physically ensuring a one-way path for data. Used in high security environments. Could simple sever the "receive" pairs on Ethernet cables.
&ISO 27004 - Information Security Metrics Implementation
Outlines a process by which to measure the performance of security controls.
Three Types of Vulnerability Tests
Personnel testing: Reviewing employee tasks and identifying vulnerabilities in the standard practices Physical testing: Reviewing facility and perimeter protection mechanisms System and network testing:
Buffer Overflows (Definition and Countermeasure)
Poor programming practices or bugs in libraries allow more input than the program has allocated space to store. This overwrites data or program memory after the end of the allocation buffer, and sometimes allows the attacker to inject program code and then cause the processor to execute it. Countermeasure: Good programming practices, automated source code scanners, and strongly typed languages that disallow buffer overflows.
Race Conditions (Definition and Countermeasure)
Potential for expected actions to take place out of order. Countermeasure: Good programming practices, automated source code scanners, application security tests
Kernel Flaw (Definition and Countermeasure)
Problems that occur below the level of the user interface, deep inside the OS. If vulnerability, if exploited, would allow an attacker powerful control over a system. Countermeasure: Ensure that security patches to operating systems (after testing) are promptly deployed in the environment to keep the window of vulnerability as small as possible.
Test
Procedure that records some set of properties or behaviors in a system and compares them against predetermined standards
Penetration Testing
Process of simulating attacks on a network and its systems at the request of the owner. Results in a report given to management that describes the vulnerabilities identified and the severity of each along with suggestions for how to deal with them.
Internal Audits (Pros Cons)
Pros: 1) Familiar with the inner workings of the organization 2) Allows organization to be more agile in its assessment Cons: 1) Likely have limited exposure to other approaches to both securing and exploiting information systems 2) Potential for conflicts
Remote Logging (For Logging)
Putting log files on a separate box. This will require attackers to target that box to alter logs
&Structured Walk-through Test
Representatives from each department or functional area come together to go over the plan to ensure its accuracy. The group reviews the objectives of the plan, discusses the scope and assumptions, reviews the organization and reporting structure, and evaluates the testing, maintenance, and training requirements.
Assessment
Set of planned tests that are related
&Parallel Test
Some systems are moved to the alternate site and processing takes place. The results are compared with the regular processing that is done at the original site.
*Acceptable Use Policy (AUP)
Specifies what the organization considers acceptable use if the information systems. Base minimum when adding a new account is to have an employee sign an AUP.
Audit
Systematic assessment of significant importance to an organization that determines whether the systems or process being audited satisfies some external standards. The scope of the audit should be in coordination with business unit managers.
Code Review
Systematic examination of the instructions that comprise a piece of software, performed by someone other than the author of that code.
*Security Information and Event Managers (SIEM)
Systems that enable the centralization, correlation, analysis, and retention of data in order to generate automated alerts.
*Boundary Condition
Test case that defines the line between good and bad exchanges.
&Tabletop Exercises (TTXs)
Test out procedures and ensure that they do what they're designed to do by stepping through the most likely scenarios. Pros: Relatively few resources other than team member time. Can involve C-level down staff to team level staff and anywhere in between.
Audit of Technical Control
Testing the ability of a technical control (control implemented through the use of an IT asset) to mitigate risks identified in the risk management process.
*Integration Testing
The assessment of how different parts of a system interact.
&Full-Interruption Test
The original site is shut down and processing takes place at the alternate site. The recovery team fulfills its obligations in preparing the systems and environment for the alternate site. All processing is done only on devices at the alternate offsite facility. Cons: Most intrusive
*Security Awareness Training
The process of exposing people to security issues so that they may be able to recognize them and better respond to them. This shouldn't be confused with Security Training, which is the process of teaching a skill or set of skills that will allow people to perform specific functions better. This is typically reserved for security personnel.
*Social Engineering
The process of manipulating individuals so that they perform actions that violate security protocols.
*Key Performance Indicators (KPIs)
The quantifiable metrics a company uses to evaluate progress toward critical success factors. Measures how will things are going.
*Measurement
The value of a factor.
Use Case Associations
The way use cases are related to one another. The most common way in which use cases are associated are by including another use case (i.e. the included use case is always executed when the preceding one is) or by extending a use case (meaning that the second use case may or may not be executed depending on a decision point in the main use case).
Synthetic Transaction
Transaction (e.g. request for a web page to transfer money) that is generated by a script instead of a person. Can be used for testing, to measure performance parameters (e.g. response time), or to behave as malicious users.
Cryptographic Hash Chaining (For Logging)
Use a cryptographic hash of a preceding event to ensure it hasn't been modified
Three Steps to Analyze the Results of a Security Assessment
What: Establish relevant and interesting information So what: Determine business impact Now what: Determine the right course of action Goal is to move from facts to actionable information.
Write-once Media (For Logging)
Writing log files to once-write media. This makes it impossible for hackers to alter logs. All that can be done is physical destruction.