CISSP SUNFLOWER STUDYGUIDE DOMAIN 6 SECURITY ASSESSMENT AND TESTING
White-box testing
(crystal) is a detailed exam of a logical path, checking the possible conditions. Requires access to source code
Audit trails
- Transaction date/time - Who processed the transaction - At which terminal
Signature based method (AKA Knowledge based)
- compared with signature attack database (aka misuse detector)
Code Coverage Report
- information on the functions, statements, branches, and conditions covered in testing. Use cases - used as part of test coverage calculation that divides the tested use case by total use cases
Static Testing
- requires access to source code, performs code analysis
Elevation of privilege
An attack where a limited user account is transformed into an account with greater privileges/powers/ access
Spoofing
An attack with the goal of gaining access to a target system through the use of a falsified identity. Spoofing can be used against IP addresses, MAC address, usernames, system names, wireless network SSIDs, and other types of logical identification.
Security Software
Antimalware and Antivirus - records instances of detected malware
Tampering
Any action resulting in the unauthorized changes or manipulation of data, whether in transit or in storage. Tampering is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability.
Code Review and Testing
Code review is the foundation of software assessment programs. During a code review, also known as a "peer review," developers other than the one who wrote the code review it for defects. The most formal code review processes, known as Fagan inspections, follow a rigorous review and testing process with six steps: - Planning - Overview - Preparation - Inspection - Rework - Follow-up
CSV -
Comma Separated Values
CVSS -
Common Vulnerability Scoring System, metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, also to score vulnerabilities against unique requirements.
CVE -
Common Vulnerability and Exposures dictionary. The CVE dictionary provides a standard convention used to identify vulnerabilities, list by MITRE
Monitoring and auditing
Companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious. This baseline is referred to as clipping level
User Interfaces (UIs)
Examples include graphic user interfaces (GUIs) and command-line interfaces. UIs provide end users with the ability to interact with the software. Interface tests should include reviews of all user interfaces to verify that they function properly.
Physical Interfaces
Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.
download
Information source/sensor, centralized monitor software, data and even report analysis, database components and response to an event or intrusion
IDS intrusion detection system
NETWORK BASED - Detects intrusions on the LAN behind a firewall. - Is passive while it acquires data. - Reviews packets and headers - Problem with network based is that it will not detect attacks by users logged into hosts HOST BASED - monitoring servers through EVENT LOGS AND SYSTEM LOGS - as good as the completeness of the host logging easier to discover and disable
NVD
National Vulnerability Db
NTP
Network Time Protocol, One important consideration is ensuring that logs have accurate time stamps and that these time stamps remain consistent throughout the environment. A common method is to set up an internal NTP server that is synchronized to a trusted time source such as a public NTP server. Other systems can then synchronize with this internal NTP server.
Application Programming Interfaces (APIs)
Offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test APIs to ensure that they enforce all security requirements.
TCP Connect Scanning
Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
Authentication Servers
SSO servers
Security Testing
Security Testing - verifies that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security. When scheduling security controls for review, information security managers should consider the following factors: - Availability of security testing resources - Criticality of the systems and applications protected by the tested controls Sensitivity of information contained on tested systems and applications - Likelihood of a technical failure of the mechanism implementing the control - Likelihood of a misconfiguration of the control that would jeopardize security - Risk that the system will come under attack - Rate of change of the control configuration - Other changes in the technical environment that may affect the control performance - Difficulty and time required to perform a control test - Impact of the test on normal business operations After assessing each of these factors, security teams design and validate a comprehensive assessment and testing strategy.
Key Performance and Risk Indicators
Security managers should also monitor key performance and risk indicators on an ongoing basis. The exact metrics they monitor will vary by organization but may include the following: - Number of open vulnerabilities - Time to resolve vulnerabilities - Number of compromised accounts - Number of software flaws detected in preproduction scanning & Repeat audit findings - User attempts to visit known malicious sites
TCP ACK Scanning
Sends a packet with the ACK flag set, indicating that it is part of an open connection.
Xmas Scanning
Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be "lit up like a Christmas tree," leading to the scan's name.
TCP SYN Scanning
Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as "half-open" scanning.
Misuse Case testing
Software testers use this process or abuse case testing to evaluate the vulnerability of their software to known risks.
Mutation (Dumb) Fuzzing
Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.
Repudiation
The ability for a user or attacker to deny having performed an action or activity.
Information Disclosure
The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities.
OPSEC process
Understanding your day-to-day operations from the viewpoint of a competitor, enemy, or hacker and then developing and applying countermeasures.
Operational assurance
Verification that a system is operating according to its security requirements • Design & development reviews • Formal modeling • Security architecture • ISO 9000 quality techniques • Assurance - degree of confidence that the implemented security measures work as intended
Real User Monitoring
aims to capture and analyze every transaction of a user
Availability
archival process to prevent loss by overwritten logs
Tailgating
authorized person circumventing controls
Vulnerability scans
automatically probe systems, applications, and networks, looking for weaknesses that may be exploited
Network Flow
captured to provide insight into network traffic for security, troubleshooting, and performance management
nonRegression testing
code works as planned
Statistical anomaly based
defines a 'normal' behavior and detects abnormal behaviors.
System level testing
demonstrates that all specified functionality exists and that the software product is trustworthy
IPS Intrusion prevention system
detect attack and PREVENT that attack being successful
Validation
develop "level of confidence" that the software meets all requirements and expectations, software improve over time Find back doors thru structured walk through
Generational (Intelligent) Fuzzing
develops inputs based on models of expected inputs to perform the same task. The zzuf tool automates the process of mutation fuzzing by manipulating input according to user specifications
War dialer
dials a range of phone numbers as in the movie wargames
Dynamic Testing
does not require access to source code, evaluates code in a runtime environment
War Driving
driving a car with notebook to find open access points
Dynamic Testing
evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code. One common example of dynamic software testing is the use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications. Testing may include the use of synthetic transactions to verify system performance.
Static Testing
evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.
Attack surface
exposure
Integration level testing
focus on transfer of data and control across a programs interfaces
Code Review Report -
generated if the organization was manually reviewing the application's source code
Remote Access Software
granted and secured through VPNs
Ring zero
inner code of the operating system. Reserved for privileged instructions by the OS itself
Response box
is a part of an IDS that initiates alarm or activity
Fuzz Testing
is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities. Often limited to simple errors, does find important, exploitable issues, don't fully cover code
Integration testing
is aimed at finding bugs in the relationship and interfaces between pairs of components. It does not normally test all functions
Code comparison
is normally used to identify the parts of the source code that have changed.
STRIDE
is often used in relation to assessing threats against applications or operating systems, threat categorization scheme, spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
Regression testing
is the verification that what is being installed does not affect any portion of the application system already installed. It generally requires the support of automated process to repeat tests previously undertaken. Known inputs against an application then compares results to earlier version results
Syslog
message logging standard commonly used by network devices, Linux and Unix systems and other devices (firewalls) Reboot - generates an information log entry - Errors - significant problem - Warnings - future problem - Information - successful operations - Success Audits - successful security accesses - Failure Audits - failed security access attempts
Test Coverage Analysis
method used to assess how well software testing covered the potential use of an application Interface testing - is an important part of the development of complex software systems. In many cases, multiple teams of developers work on different parts of a complex application that must function together to meet business objectives. The handoffs between these separately developed modules use well-defined interfaces so that the teams may work independently. Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.
Firewalls
more sophisticated than routers to examine traffic
Verification
objective evidence that the design outputs of a phase of the SDLC meet requirements. 3rd party sometimes
Black-box testing
observes the system external behavior, no internal details known
Modified logs
often a sign of intrusion or malicious intent NetFlow is a feature that was introduced on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface. a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion.
Inconsistent Time Stamps
often caused by improperly set time zones or due to differences in how system clocks are set
SAS 70
outdated 2011, based on ISAE 3402
Vulnerability Management Software
patching
Routers
permit or block traffic based on policy
Compiled Code
poses more risk than interpreted code because malicious code can be embedded in the compiled code and can be difficult to detect
Supervisor mode
processes running in inner protected ring
Port scanner
program that attempts to determine whether any of a range of ports is open on a particular computer or device
Breaches
protect from breaches of confidentiality and integrity.
Audit logging
provides information about events on the routers
Authenticated scans
read-only account to access config files
IDS/IPS =
security testing, NIST 800-4 security testing, NIST 800-4
SOC Reports
service organization control report. (569) - SOC-1 report, covers only internal controls over financial reporting. SSAE 16 is the same most common synonym SOC 1 - Finances - SOC-2 (design and operational effectiveness) If you want to verify the security, integrity, privacy, and availability controls, in detail for business partners, auditors @security - SOC-3 report; shared with broad community, website seal, support organizations claims about their ability to provide CIA Type 1 - point in time covering design Type 2 - period of time covering design and operating effectiveness Passive monitoring only works after issues have occurred because it requires actual traffi
Log Analysis
study logs for events of interest Set maximum size. If too small, attacker can make little changes and push them out of window
Superzapping
system utility or application that bypasses all access controls and audit/logging functions to make updates to code or data
Pen-test
testing of network security as would a hacker do to find vulnerabilities. Always get management approval first
Unit testing
testing small piece of software during a development stage by developers and quality assurance, ensures quality units are furnished for integration into final product Integration level testing - focus on transfer of data and control across a programs interfaces
Misuse Case diagrams
threats and mitigate
Bluetooth Scans
time consuming, many personal devices - Active; strength of PIN, security mode - Passive; only active connections, multiple visits
Passive Scanning
user scan wireless to look for rogue devices in addition to IDS
Network discovery scanning
uses a variety of techniques to scan a range of IP addresses, searching for systems with open ports.
Synthetic Performance Monitoring
uses scripted or recorded data. Traffic capture, Db performance monitoring, website performance monitoring can be used. NOT User Session Monitoring Types - Proactive monitoring involves having external agents run scripted transactions against a web application - Db monitoring; availability of Db - TCP port monitoring; availability of website, service, or application
Log Management System
volume of log data, network bandwidth, security of data, and amount of effort to analyze. NOT enough log sources
Piggybacking
when an unauthorized person goes through a door behind an authorized person.