CISSP SUNFLOWER STUDYGUIDE DOMAIN 6 SECURITY ASSESSMENT AND TESTING

Ace your homework & exams now with Quizwiz!

White-box testing

(crystal) is a detailed exam of a logical path, checking the possible conditions. Requires access to source code

Audit trails

- Transaction date/time - Who processed the transaction - At which terminal

Signature based method (AKA Knowledge based)

- compared with signature attack database (aka misuse detector)

Code Coverage Report

- information on the functions, statements, branches, and conditions covered in testing. Use cases - used as part of test coverage calculation that divides the tested use case by total use cases

Static Testing

- requires access to source code, performs code analysis

Elevation of privilege

An attack where a limited user account is transformed into an account with greater privileges/powers/ access

Spoofing

An attack with the goal of gaining access to a target system through the use of a falsified identity. Spoofing can be used against IP addresses, MAC address, usernames, system names, wireless network SSIDs, and other types of logical identification.

Security Software

Antimalware and Antivirus - records instances of detected malware

Tampering

Any action resulting in the unauthorized changes or manipulation of data, whether in transit or in storage. Tampering is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability.

Code Review and Testing

Code review is the foundation of software assessment programs. During a code review, also known as a "peer review," developers other than the one who wrote the code review it for defects. The most formal code review processes, known as Fagan inspections, follow a rigorous review and testing process with six steps: - Planning - Overview - Preparation - Inspection - Rework - Follow-up

CSV -

Comma Separated Values

CVSS -

Common Vulnerability Scoring System, metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, also to score vulnerabilities against unique requirements.

CVE -

Common Vulnerability and Exposures dictionary. The CVE dictionary provides a standard convention used to identify vulnerabilities, list by MITRE

Monitoring and auditing

Companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious. This baseline is referred to as clipping level

User Interfaces (UIs)

Examples include graphic user interfaces (GUIs) and command-line interfaces. UIs provide end users with the ability to interact with the software. Interface tests should include reviews of all user interfaces to verify that they function properly.

Physical Interfaces

Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.

download

Information source/sensor, centralized monitor software, data and even report analysis, database components and response to an event or intrusion

IDS intrusion detection system

NETWORK BASED - Detects intrusions on the LAN behind a firewall. - Is passive while it acquires data. - Reviews packets and headers - Problem with network based is that it will not detect attacks by users logged into hosts HOST BASED - monitoring servers through EVENT LOGS AND SYSTEM LOGS - as good as the completeness of the host logging easier to discover and disable

NVD

National Vulnerability Db

NTP

Network Time Protocol, One important consideration is ensuring that logs have accurate time stamps and that these time stamps remain consistent throughout the environment. A common method is to set up an internal NTP server that is synchronized to a trusted time source such as a public NTP server. Other systems can then synchronize with this internal NTP server.

Application Programming Interfaces (APIs)

Offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test APIs to ensure that they enforce all security requirements.

TCP Connect Scanning

Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.

Authentication Servers

SSO servers

Security Testing

Security Testing - verifies that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security. When scheduling security controls for review, information security managers should consider the following factors: - Availability of security testing resources - Criticality of the systems and applications protected by the tested controls Sensitivity of information contained on tested systems and applications - Likelihood of a technical failure of the mechanism implementing the control - Likelihood of a misconfiguration of the control that would jeopardize security - Risk that the system will come under attack - Rate of change of the control configuration - Other changes in the technical environment that may affect the control performance - Difficulty and time required to perform a control test - Impact of the test on normal business operations After assessing each of these factors, security teams design and validate a comprehensive assessment and testing strategy.

Key Performance and Risk Indicators

Security managers should also monitor key performance and risk indicators on an ongoing basis. The exact metrics they monitor will vary by organization but may include the following: - Number of open vulnerabilities - Time to resolve vulnerabilities - Number of compromised accounts - Number of software flaws detected in preproduction scanning & Repeat audit findings - User attempts to visit known malicious sites

TCP ACK Scanning

Sends a packet with the ACK flag set, indicating that it is part of an open connection.

Xmas Scanning

Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be "lit up like a Christmas tree," leading to the scan's name.

TCP SYN Scanning

Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as "half-open" scanning.

Misuse Case testing

Software testers use this process or abuse case testing to evaluate the vulnerability of their software to known risks.

Mutation (Dumb) Fuzzing

Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.

Repudiation

The ability for a user or attacker to deny having performed an action or activity.

Information Disclosure

The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities.

OPSEC process

Understanding your day-to-day operations from the viewpoint of a competitor, enemy, or hacker and then developing and applying countermeasures.

Operational assurance

Verification that a system is operating according to its security requirements • Design & development reviews • Formal modeling • Security architecture • ISO 9000 quality techniques • Assurance - degree of confidence that the implemented security measures work as intended

Real User Monitoring

aims to capture and analyze every transaction of a user

Availability

archival process to prevent loss by overwritten logs

Tailgating

authorized person circumventing controls

Vulnerability scans

automatically probe systems, applications, and networks, looking for weaknesses that may be exploited

Network Flow

captured to provide insight into network traffic for security, troubleshooting, and performance management

nonRegression testing

code works as planned

Statistical anomaly based

defines a 'normal' behavior and detects abnormal behaviors.

System level testing

demonstrates that all specified functionality exists and that the software product is trustworthy

IPS Intrusion prevention system

detect attack and PREVENT that attack being successful

Validation

develop "level of confidence" that the software meets all requirements and expectations, software improve over time Find back doors thru structured walk through

Generational (Intelligent) Fuzzing

develops inputs based on models of expected inputs to perform the same task. The zzuf tool automates the process of mutation fuzzing by manipulating input according to user specifications

War dialer

dials a range of phone numbers as in the movie wargames

Dynamic Testing

does not require access to source code, evaluates code in a runtime environment

War Driving

driving a car with notebook to find open access points

Dynamic Testing

evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code. One common example of dynamic software testing is the use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications. Testing may include the use of synthetic transactions to verify system performance.

Static Testing

evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.

Attack surface

exposure

Integration level testing

focus on transfer of data and control across a programs interfaces

Code Review Report -

generated if the organization was manually reviewing the application's source code

Remote Access Software

granted and secured through VPNs

Ring zero

inner code of the operating system. Reserved for privileged instructions by the OS itself

Response box

is a part of an IDS that initiates alarm or activity

Fuzz Testing

is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities. Often limited to simple errors, does find important, exploitable issues, don't fully cover code

Integration testing

is aimed at finding bugs in the relationship and interfaces between pairs of components. It does not normally test all functions

Code comparison

is normally used to identify the parts of the source code that have changed.

STRIDE

is often used in relation to assessing threats against applications or operating systems, threat categorization scheme, spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Regression testing

is the verification that what is being installed does not affect any portion of the application system already installed. It generally requires the support of automated process to repeat tests previously undertaken. Known inputs against an application then compares results to earlier version results

Syslog

message logging standard commonly used by network devices, Linux and Unix systems and other devices (firewalls) Reboot - generates an information log entry - Errors - significant problem - Warnings - future problem - Information - successful operations - Success Audits - successful security accesses - Failure Audits - failed security access attempts

Test Coverage Analysis

method used to assess how well software testing covered the potential use of an application Interface testing - is an important part of the development of complex software systems. In many cases, multiple teams of developers work on different parts of a complex application that must function together to meet business objectives. The handoffs between these separately developed modules use well-defined interfaces so that the teams may work independently. Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.

Firewalls

more sophisticated than routers to examine traffic

Verification

objective evidence that the design outputs of a phase of the SDLC meet requirements. 3rd party sometimes

Black-box testing

observes the system external behavior, no internal details known

Modified logs

often a sign of intrusion or malicious intent NetFlow is a feature that was introduced on Cisco routers that provides the ability to collect IP network traffic as it enters or exits an interface. a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion.

Inconsistent Time Stamps

often caused by improperly set time zones or due to differences in how system clocks are set

SAS 70

outdated 2011, based on ISAE 3402

Vulnerability Management Software

patching

Routers

permit or block traffic based on policy

Compiled Code

poses more risk than interpreted code because malicious code can be embedded in the compiled code and can be difficult to detect

Supervisor mode

processes running in inner protected ring

Port scanner

program that attempts to determine whether any of a range of ports is open on a particular computer or device

Breaches

protect from breaches of confidentiality and integrity.

Audit logging

provides information about events on the routers

Authenticated scans

read-only account to access config files

IDS/IPS =

security testing, NIST 800-4 security testing, NIST 800-4

SOC Reports

service organization control report. (569) - SOC-1 report, covers only internal controls over financial reporting. SSAE 16 is the same most common synonym SOC 1 - Finances - SOC-2 (design and operational effectiveness) If you want to verify the security, integrity, privacy, and availability controls, in detail for business partners, auditors @security - SOC-3 report; shared with broad community, website seal, support organizations claims about their ability to provide CIA Type 1 - point in time covering design Type 2 - period of time covering design and operating effectiveness Passive monitoring only works after issues have occurred because it requires actual traffi

Log Analysis

study logs for events of interest Set maximum size. If too small, attacker can make little changes and push them out of window

Superzapping

system utility or application that bypasses all access controls and audit/logging functions to make updates to code or data

Pen-test

testing of network security as would a hacker do to find vulnerabilities. Always get management approval first

Unit testing

testing small piece of software during a development stage by developers and quality assurance, ensures quality units are furnished for integration into final product Integration level testing - focus on transfer of data and control across a programs interfaces

Misuse Case diagrams

threats and mitigate

Bluetooth Scans

time consuming, many personal devices - Active; strength of PIN, security mode - Passive; only active connections, multiple visits

Passive Scanning

user scan wireless to look for rogue devices in addition to IDS

Network discovery scanning

uses a variety of techniques to scan a range of IP addresses, searching for systems with open ports.

Synthetic Performance Monitoring

uses scripted or recorded data. Traffic capture, Db performance monitoring, website performance monitoring can be used. NOT User Session Monitoring Types - Proactive monitoring involves having external agents run scripted transactions against a web application - Db monitoring; availability of Db - TCP port monitoring; availability of website, service, or application

Log Management System

volume of log data, network bandwidth, security of data, and amount of effort to analyze. NOT enough log sources

Piggybacking

when an unauthorized person goes through a door behind an authorized person.


Related study sets

ATI quiz practice for proctored exam

View Set

ECO2013 Principles of Macroeconomics Study Guide Exam 3: ECO2013 (1967)

View Set