15 - Security Assessment and Testing Flashcards
What are the 3 main components of a Security Assessment program?
- Security Testing: Verify that a security control is functioning properly. Includes automated scans, tool-assisted pen tests, and manual attempts to undermine security.
- Security Assessments: Comprehensive reviews of the security system, application, and other tested environments. Professionals identify vulnerabilities and provide recommendations for remediation.
- Security Audits: Use of the same techniques followed during the security assessment but must be performed by independent auditors.
What are the different types of Security Audits?
- Internal Audits: Performed by org’s internal audit staff and generally intended for internal audiences.
- External Audits: Performed by an outside auditing firm. Generally considered to have a high degree of external validity because a conflict of interest shouldn’t be a problem.
-
Third-Party Audits: Audits conducted by, or on behalf of, another org
- Type I Report: Provides a description of the controls provided by the audited organization.
- Type II Report: Covers a 6-month time period and also includes an opinion of the auditor on the effectiveness of those controls. (considered more reliable than Type I)
What are some known auditing standards?
- COBIT (Control Objectives for Information and related Technologies): Common requirements organizations should have in place surrounding their information systems.
- ISO 27001: Standard approach for setting up systems
- ISO 27002: Goes into more details on the security controls.
What is SCAP?
Security Content Automation Protocol provides a common framework to descirbe and evaluate vulnerabilities.
- Common Vulnerability Scoring System (CVSS):
- Common Vulnerabilities and Exposures (CVE): Provides a naming system for security vulnerabilities.
- Common Configuration Enumeration (CCE): Provides a naming system for for system configuration issues.
- Common Platform Enumeration (CPE): Provides a naming system for OS, applications, and devices.
- Extensible Configuration Checklist Description Format (XCCDF): Language for specifying security checklists.
- Open Vulnerability and Assessment Language (OVAL): Provides a language for describing security testing procedures.
What is a Vulnerability Scan?
A Vulnerability Scan automatically probes systems, apps, and networks lookimg for weaknesses that may be exploited by an attacker.
What are the different types of Vulnerability Scans?
-
Network Discovery Scanning: Scans a range of IP addresses searching for systems with open network ports.
- TCP SYN Scanning (Half-Open): Sends a packet with a SYN flag set indicating a request to open a new connection. If response is received with SYN and ACK flag set, then request was successful.
- TCP Connect Scanning: Opens a full connection to the remote system on the specified port. Generally used when user does not have permission for half-open scan (handcrafted packets)
- TCP ACK Scanning: Sends a packet with the ACK flag set mimicking an open connection. Used to test the FW rules.
- Xmas Scanning: Sends packet with FIN, PSH, and URG flags set.
-
Network Vulnerability Scanning: Goes deeper than open ports and continues on to probe a targeted system or network for the presence of known vulnerabilities vulnerabilities. These tools generally have databases of thousands of vulnerabilities vulnerabilities to reference. Generally run without special privileges so as to mimic an attackers perspective (unauthenticated scans).
- False Positive: Where the scanner may not have the ability to determine whether a system may contain the vulnerability.
- False Negative: When the scanner misses a legit vulnerability.
- Web Vulnerability Scanning: Special purpose tools that scour web apps for known vulnerabilities. Generally known for going deeper than a network scan.
- Database Vulnerability Scanning: Scans both databases and web apps for vulnerabilities that may affect database security.
What are the different states ports can be in?
- Open: The port is open and is there is an application that is actively accepting connections on that port.
- Closed: Port is accessible on remote system meaning the firewall is allowing access but there is no application accepting connections on that port.
- Filtered: Unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt.
What are some common TCP ports?
- FTP: 20/21
- SSH: 22
- Telnet: 23
- SMTP: 25
- DNS: 53
- HTTP: 80
- POP3: 110
- NTP: 123
- Windows File Sharing: 135, 137-139, 445
- HTTPS: 443
- LPR/LPD: 515
- SQL Server: 1433/1434
- Oracle: 1521
- H.323: 1720
- PPTP:1723
- RDP: 3389
- HP JetDirect Printing: 9100
What is Vulnerability Management Workflow?
Vulnerability Management Workflow is a workflow approach to managing vulnerabilities. Steps:
- Detection: Initial identification of a vulnerability, usually resulting from a scan.
- Validation: Confirm it is not a false positive report.
- Remediation: Includes applying a patch, device configuration, workaround, or firewall/security control that prevents the exploitation of the vulnerability.
What is Pen Testing?
Actually attempts to exploit systems to demonstrate the flaws. Consists of the following phases:
- Planning: Agreement on scope fo test and rules of engagement
- Information Gathering and Discovery: Uses manual and automated tools to collect information about the target environment.
- Vulnerability Scanning:Probes for system weaknesses using different vulnerability scans.
- Exploitation: Seeks to use manual and automated exploit tools to attempt to defeat system security.
- Reporting: Summarizes the results of the pen test and makes recommendations
What are the different Types of Pen Testing?
- White Box: Provides attackers with detailed information about the systems they target.
- Gray Box: Some knowledge is provided but still want black box results but costs or time constraints are present.
- Black Box: Does not provide the atatcker with any knowledge of the systems being targeted.Simulates an actual attack.
What are the different types of software testing?
- Code Review and Testing
-
Interface Testing:
- APIs: The way code interact with web services
- User Interfaces (UI): Includes GUIs and CLIs
- Physical Interfaces: Where apps manipulate machinery or other objects of the physical world.
- Misuse Case Testing: Testing the vulnerability of software to be abused.
-
Test Coverage and Analysis: Estimates the degree of testing conducted: test coverage = number of cases tested/total number of use cases
- Branch Coverage: Has every if statement been executed under all if and else statements
- Condition Coverage: Has every logical test in the code been executed under all sets of input
- Function Coverage: Has every function in the code been called and returned results.
- Loop Coverage: Has every loop been executed under conditions that cause code execution mu;tiple times.
- Statement Coverage: Has every line of code been executed?
-
Website Monitoring: Monitors websites for performance and security issues.
- Passive Monitoring: Analyzes actual network traffic sent to a website
- Synthetic Monitoring (active monitoring): Performs artificial transactions against a website to assess performance.
What are the different components of Code Review and Testing?
-
Code Review:Reveiwed by peers for defects.
- Planning
- Overview
- Preparation
- Inspection
- Rework
- Follow-Up
- Static Testing: Evaluates the security of software without running it
- Dynamic Testing: Evaluates the security of software in a runtime environment.
-
Fuzz Testing: Provides many different types of input to software to stress its limits and find flaws.
- Muatation (Dumb) Fuzzing: Takes previous inputs mutates it to create fuzzed input.
- Generational (Intelligent) Fuzzing: Develops data models and creates new fuzzed input.
Whata are some processes used to oversee the security management program?
- Log Reviews: Auditing logs for for malicious activity, syncronized clocks, sesnitive functions amonmg other important activities that should be monitored.
- Account Management: Enusres users only retain authorized permissions and that unauthorized modifications do not occur.
- Backup Verification: Inpsect the backps to ensure everything is working as expected and backing up the appropriate information
- Key Performance and Risk Indicators: tracking the imporatnt metrics sor progress can be documented and ensures the security posture is maintained.