CISSP - Sybex Study Guide - Ch. 15 Security Assessment and Testing - DOMAIN 6: Security Assessment and Testing
Vulnerabilities / Vulnerability Scans / Four main categories / Web Vulnerability Scanning - Name some web vuln scanners P677
- Acunetix Scanner - Nikto (open source) - Wapiti - Burp Suite
Testing Your Software / Test Coverage Analysis - Name some of the possible formula criteria (1-3) - P 687
- Branch coverage: Has every if statement been executed under all if and else conditions? - Condition coverage: Has every logical test in the code been executed under all sets of inputs? - Function coverage: Has every function in the code been called and returned results?
Describing Vulnerabilities / SCAP - List the 6 components (4-6) P668
- Common Platform Enumeration (CPE) provides a naming system for operating systems, applications, and devices. - Extensible Configuration Checklist Description Format (XCCDF) provides a language for specifying security checklists. - Open Vulnerability and Assessment Language (OVAL) provides a language for describing security testing procedures.
Describing Vulnerabilities / SCAP - List the 6 components (1-3) P668
- Common Vulnerabilities and Exposures (CVE) provides a naming system for describing security vulnerabilities. - Common Vulnerability Scoring System (CVSS) provides a standardized scoring system for describing the severity of security vulnerabilities. - Common Configuration Enumeration (CCE) provides a naming system for system configuration issues.
Testing Your Software / Code Review / Describe the steps for less formal code reviews P 682
- Developers walking through their code in a meeting with one or more other team members - A senior developer performing manual code review and signing off on all code before moving to production - Use of automated review tools to detect common application flaws before moving to production
Testing Your Software / Fuzz Testing / Generational (Intelligent) -Describe P 684
- Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
Testing Your Software / Code Review / Fagan inspection - Describe P682
- Each step has defined entry and exit criteria that must be met before moving onto the next stage. - Fagan normally used in highly restrictive environments where code flaws may have a catastrophic impact.
3 Major Components of a Security Assessment Program / 3 Main Types of Audits / EXTERNAL - What are the BIG FOUR Audit Firms? P666
- Ernst & Young - Deloitte & Touche - PricewaterhouseCoopers - KPMG
Testing Your Software / Code Review / What is the most formal process called? What are the steps? P 682
- Fagan inspections. Six step process: Planning / Overview / Preparation / Inspection / Rework / Follow-up
Implementing Security Management Processes / Log Reviews - Describe P 688
- Logging policies can be deployed via Windows Group Policy Objects (GPOs)
Testing Your Software / Test Coverage Analysis - Name some of the possible formula criteria (4-5) - P 687
- Loop coverage: Has every loop in the code been executed under conditions that cause code execution multiple times, only once, and not at all? - Statement coverage: Has every line of code been executed during the test?
Name some common vulnerability scanners P675
- Nessus / QualysGuard / Rapid7's NeXpose - OpenVAS (open source) - Aircrack (scan wireless networks)
Implementing Security Management Processes / Log Reviews - What log is particularly useful when investigating security incidents? P 688
- Network Flow logs (NetFlow) - they provide records of the connections between systems and the amount of data transferred
Describe SCAP
- Provides a common framework for discussion
Implementing Security Management Processes / Account Management / Account privilege review / Sampling - Only works if it's what? P 689
- Random - Don't allow sys adminis to generate the sample or use nonrandom criteria to select accounts for review, or you may miss entire categories of users where errors may exist
Testing Your Software / Website Monitoring / Passive Monitoring - What is a variant of passive monitoring?
- Real user monitoring (RUM) - the monitoring tool reassembles the activity of individual users to track their interaction with a website
3 Major Components of a Security Assessment Program / Audits - What is the main work, or end product of an Audit?
- Reports that are intended for different audiences than tests or assessments are for - may include an orgs board of directors, gov regulators...
Testing Your Software / Dynamic Testing - Describe P 683
- Tests in a runtime environment (while program is running) - Often used by orgs using apps written by someone else, where they don't have access to the source code.
Testing Your Software / Static Testing - Describe P 683
- Tests software without running it - analyzes either source code or the compiled application - usually involves the use of automated tools that detect flaws (buffer overflows, etc...)
What provides a common standard to be used by auditors performing assessments of service organizations with the intent of allowing the organization to conduct an external assessment instead of multiple third-party assessments and then sharing the resulting report with customers and potential customers?
- The Statement on Standards for Attestation Engagements document 16 (SSAE 16), "Reporting on Controls"
Vulnerability Management Workflow - Describe P678
- Three step approach to managing vulnerabilities 1) Detection - normally result of a scan 2) Validation - make sure not a FP 3) Remediation - patch, config, etc...
What is the goal of a vulnerability management workflow? P679
- To ensure that vulns are detected and resolved in an orderly fashion. - should also include steps that prioritize vuln remediation based on severity of the vuln, likelihood of exploitation, and difficulty of remediation
Testing Your Software / Dynamic Testing - What's a common example?
- Use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications.
Vulnerabilities / Vulnerability Scans / Four main categories / Network Discovery Scanning - Describe P669
- Uses TCP SYN, Connect, ACK, and Xmas scanning to detect if ports are opened - checks if a port is open or closed and stops.
Testing Your Software / Website Monitoring / Passive Monitoring - Describe P 687
- analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server. - provides real-world monitoring data that provides administrators with insight into what is actually happening on a network.
3 Major Components of a Security Assessment Program / 3 Main Types of Audits / THIRD-PARTY - Describe P666
- are conducted by, or on behalf of, another org
Penetration Testing - Describe P679
- attempts to exploit system
3 Major Components of a Security Assessment Program / Testing - Includes what? P662
- automated scans - tool-assisted penetration tests - manual attempts to undermine security
Testing Your Software / Fuzz Testing / What is it called when input is slightly manipulated? P 684
- bit flipping
Testing Your Software / Interface Testing - Describe P 686
- complex applications use multiple teams to each work on separate modules - interface testing ensures these modules will work together - assesses the interactions between components and users
3 Major Components of a Security Assessment Program / Assessments - Describe P664
- comprehensive reviews of the security of a system, application, or other tested environment - a trained information security professional performs a risk assessment that identifies vulnerabilities - include a thoughtful review of the threat environment, current and future risks, and value
Implementing Security Management Processes / Log Reviews - Why should periodically log reviews be conducted? P 688
- ensure that privileged users are not abusing their privileges - ex: ADMs have access to a eDiscovery tool that allows searching through contents of user files. Need to make sure this isn't being abused and violate user privacy
Implementing Security Management Processes / Account Management / These reviews ensure what? Who carries this out? P 689
- ensure that users only retain authorized permissions and that unauthorized modifications do not occur - Security management personnel or internal auditors
Testing Your Software / Misuse Case Testing - How do testers test for this? P 686
- first enumerate the known misuse cases - then attempt to exploit those use cases with manual and/or automated attack techniques
Vulnerabilities / Vulnerability Scans / Four main categories / Network Vulnerability Scanning - Describe P673
- goes deeper than discovery scans - also probes for vulnerabilities
Testing Your Software / Misuse Case Testing - Describe P 686
- in some apps, there are clear examples of ways that software users might attempt to misuse the app. - evaluate the vulnerability of their software to these known risks.
Implementing Security Management Processes - Describe P 688
- management processes designed to oversee the effective operation of the information security program
3 Major Components of a Security Assessment Program / 3 Main Types of Audits / INTERNAL - Describe P665
- performed by an orgs internal audit staff and are typically intended for internal audiences
3 Major Components of a Security Assessment Program / 3 Main Types of Audits / EXTERNAL - Describe P666
- performed by an outside auditing firm - these audits have a high degree of external validity because the auditors performing the assessment have no conflict of interest with the org
Testing Your Software / Website Monitoring / Synthetic monitoring (aka active monitoring) - Describe P 687
- performs artificial transactions against a website to assess performance. This may be as simple as requesting a page from the site to determine the response time, or it may execute a complex script designed to identify the results of a transaction.
Implementing Security Management Processes / Backup Verification - What should managers check for? P 689
- periodically inspect the results of backups (reviewing logs, inspecting hash values, or requesting an actual restore of a system or file.) - monitor key performance and risk indicators
Vulnerabilities / Vulnerability Scans / Four main categories / Database Vulnerability Scanning - Describe P677
- scans both databases and web applications. Web applications are commonly the vector used to gain accesses to dbs.
Vulnerabilities / Vulnerability Scans / Four main categories / Web Vulnerability Scanning - Describe
- scans web applications - web applications typically have privileged access to underlying dbs.
Testing Your Software / Dynamic Testing - May include the use of what type of transaction? P684
- synthetic transactions - these are scripted transactions with known expected results.
Testing Your Software / Test Coverage Analysis - Describe P 686
- too many ways an app might malfunction or be attacked so this - determines HOW much testing should an application receive - bases testing on what the app is meant to be used for / how complex it is.
3 Major Components of a Security Assessment Program / Audits - Describe P665
- use many of the same techniques followed during security assessments but must be performed by independent auditors
3 Major Components of a Security Assessment Program / Testing - Describe
- verifies that a control is functioning properly - should be done on a regular schedule
Implementing Security Management Processes / Account Management / One method is to conduct a full review of accounts. When would this be ideal? P 689
- when the accounts are highly privileged - CONS: takes a lot of time
Testing Your Software / Fuzz Testing / Mutation - Which tool is commonly used? What does it do? P684
- zzuf - slightly changes expected input
Testing Your Software / Interface Testing - Name the 3 interface testing types P 686
1) Application Programming Interfaces (APIs) 2) User Interfaces (UIs) 3) Physical Interfaces
3 Major Components of a Security Assessment Program / Audits - What are the 3 main types? P665
1) Internal 2) External 3) Third-party
Testing Your Software / Fuzz Testing - What are the two main categories? P684
1) Mutation (Dumb) Fuzzing 2) Generational (Intelligent) Fuzzing
Vulnerabilities / Vulnerability Scans - What are the four main categories? P669
1) Network discovery scans 2) Network vulnerability scans 3) Web application vulnerability scans 4) Database vulnerability scans
Testing Your Software / Website Monitoring - What are the two forms? P 687
1) Passive monitoring - detects after event occurs 2) Synthetic monitoring - useful at detecting issues before they occur.
What are the 3 major components of a security assessment program? P662
1) Security tests 2) Security assessments 3) Security audits
3 Major Components of a Security Assessment Program / 3 Main Types of Audits / THIRD-PARTY / What are the two SSAE 16 Reports?
1) Type 1 - Org describes their controls to auditor. Cover a single point in time and do not involve actual testing of the controls by auditor. 2) Type 2 - Covers a minimum 6 month time period. Auditor actually tests controls and reports on results.
Penetration Testing - What are the three categories / groups of tests? P681
1) White box - attacker is given detailed info 2) Gray box - attacker has some info. Good when black box results are desired, but costs or time constraints mean some knowledge is given. 3) Black box pen test - attacker given no info
Implementing Security Management Processes - Name some of these security management reviews P 688
1) log reviews 2) account management 3) backup verification 4) key performance and risk indicators
Implementing Security Management Processes / Account Management / Account privilege review - Give an example of what this process might entail. P 689
1. Managers monitor system administrators as they provide a list of users with privileged access and rights. 2. Managers ask the privilege approval auth to provide a list of auth users and their privileges 3. The managers then compare the two lists to ensure that only auth users retain access to the system and each user does not exceed their auth
Describe ISO 27001 and 27002
27001: Describes a standard approach for setting up an information security management team 27002: goes into more detail on the specifics of info security controls. - Both are internationally recognized standards.
3 Major Components of a Security Assessment Program / Auditing Standards - What is a common auditing and assessment framework? P667
COBIT
Testing Your Software / Interface Testing / UIs - Describe P 686
Ex. include graphic user interfaces (GUIs) and command-line interfaces. UIs provide end users with the ability to interact with the software. Interface tests should include reviews of all user interfaces to verify that they function properly.
Testing Your Software / Interface Testing / Physical Interfaces - Describe P 686
Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.
Testing Your Software / Name some application tests
Interface Testing Misuse Case Testing Test Coverage Analysis Fuzz Testing Static Testing Dynamic Testing
Testing Your Software / Interface Testing / Why test interfaces?
Interface testing provides an added degree of assurance that interfaces meet the organization's security requirements.
Assessments and Tests are meant for internal or external (or both) use?
Internal only
Implementing Security Management Processes / Account Management / Can portions of the account review process be automated? If so, how? P 689
Many Identity and Access Management (IAM) vendors provide account review workflows that prompt admins to conduct reviews, maintain docs for user accounts, and provide an audit trail showing the completion of reviews.
Penetration Testing - What is a commonly used tool that automatically executes exploits against a targeted system? P679
Metasploit
Testing Your Software / Fuzz Testing / Mutation (Dumb) - Describe
Modifies known inputs to generate synthetic inputs that may trigger unexpected behavior.
What NIST offers a special publication that describes best practices in conducting security and privacy assessments ?
NIST SP 800-53A
Implementing Security Management Processes / Log Reviews - Logging systems should make use of what? P 688
NTP (Network Time Protocol)
3 Major Components of a Security Assessment Program / Assessments - Only conducted by external team?
No, internal can perform as well.
Implementing Security Management Processes / Backup Verification - What are some Key Performance and Risk Indicators? P 690
Number of open vulnerabilities / Time to resolve vulnerabilities / Vulnerability/defect recurrence / Number of compromised accounts / Number of software flaws detected in preproduction scanning / Repeat audit findings / User attempts to visit known malicious sites
Penetration Testing - What are some industry standard methodologies for pen testing? P681
OWASP Testing Guide / oSSTMM / NIST 800-115 / FedRAMP Penetration Test Guidance / PCI DSS Information Supplement on Pen Testing
Testing Your Software / Interface Testing / APIs - Describe P 686
Offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test APIs to ensure that they enforce all security requirements.
Testing Your Software / Website Monitoring / What does Passive monitoring excel in? Active Monitoring?
PASSIVE: useful in troubleshooting issues identified by users because it can capture traffic related to the issue. ACTIVE: capable of detecting issues before they occur.
PERFORMING VULNERABILITY ASSESSMENTS - Describe P668
Performing vulnerability scans and penetration tests
Penetration Testing - What are the 5 Phases? P679
Planning / Information gathering and discovery / Vulnerability scanning / Exploitation / Reporting
Implementing Security Management Processes / Account Management / Account privilege review - Orgs that do not have time to thoroughly conduct this process can do what? P 689
Sampling
Testing Your Software / Website Monitoring - Describe P 687
Security professionals also often become involved in the ongoing monitoring of websites for performance management, troubleshooting, and the identification of potential security issues.
Vulnerabilities / Vulnerability Scans / Four main categories / Database Vulnerability Scanning - Name a common tool used P678
Sqlmap
What gives the security community with a common set of standards and language for describing and evaluating vulnerabilities? P668
The Security Content automation Protocol (SCAP)
Testing Your Software / Website Monitoring / Which monitoring is often used most? P 687
They are frequently used together because they achieve different results.
Testing Your Software / Fuzz Testing - What are its limitations? P 684
Typically doesn't result in full coverage of the code and is commonly limited to detecting simple vulnerabilities that do not require complex manipulation of business logic
Vulnerabilities / Vulnerability Scans / Four main categories / Network Vulnerability Scanning - By default runs what type of scans? P674
Unauthenticated scans, meaning they test the target systems w/o having pws or other privileged information or access.
Testing Your Software / Misuse Case Testing - Give an example P 686
Users of banking software might try to manipulate input strings to gain access to another user's account. They might also try to withdraw funds from an account that is already overdrawn.
3 Major Components of a Security Assessment Program / Assessments - What is the main work, or end product of an assessment? P664
normally an assessment report addressed to management that contains the results of the assessment in nontechnical language and concludes with specific recommendations for improving the security
Testing Your Software / Test Coverage Analysis - What is the formula used? P 686
test coverage = number of use cases tested / total number of use cases