Ch18 - 18.01 - Understanding Types of Assessments Flashcards
Risk Assessment (Analysis)
Risk assessment is also known as risk analysis and deals with identifying the risks to assets within the organization and then finding solutions to minimize those risks.
- Identify assets
- Identify threats (risk) against assets (Threat assessment)
- Analyze impact
- Prioritize threats
- Mitigate the threat
Threat Assessment
Threat assessment is actually part of risk assessment, where you identify the different threats to an asset. As mentioned, you will have many different threats for a single asset, and part of risk assessment is to prioritize those threats.
Configuration Assessment
With a configuration assessment, the security administrator will review the security configuration of a system or network. This typically involves having a checklist of configuration best practices and ensuring that those best practices are followed. The following is a list of assets whose configuration you would check:
- All systems
- File server
- Web server
- SMTP server
- DNS server
- Routers
- Firewalls
- Switches
- Employees
- Physical security
Configuration Assessment - Employees
When performing a manual assessment, also assess
employees’ knowledge of security by planning and executing a few social engineering attacks against them. For example, you could see if an employee would give their password away. Or put CDs with no labels on them on a few employees’ desks, and see how many of those
employees put the CD in their systems. The idea here is that the CD could have been a virus, and employees should not put unknown media in a system.
Vulnerability Assessment
A vulnerability assessment is an assessment where you identify areas in the configuration that make your system vulnerable to an attack or security incident. Most vulnerability assessments are automated by using a vulnerability assessment tool such as Microsoft Baseline Security Analyzer (MBSA), GFI LanGuard (see Figure 18-1), or Nessus.
Remember that vulnerability assessments are considered passive assessments because you are not actually trying to bypass security controls and hack a system.
Some of the items that a vulnerability assessment would check for: 1. Unused accounts 2. Administrative accounts 3. Unpatched operating system 4. Unpatched software 5. Vulnerable software
Vulnerability Assessment - Credentialed vs. non credentialed
When performing a vulnerability scan, you should ensure that you perform one as an unauthenticated user (non-credentialed) to find out what information is being exposed to unknown persons to the network. You then should perform the scan logged in as an administrative account so that you can collect as much information about the system as possible.
Penetration Testing
A penetration test is a totally different type of security assessment than a vulnerability assessment. With a penetration test, the tester uses common attack methods to see if they can bypass the security of a system. If the penetration tester cannot compromise the system by using common exploits, then the system passes the test. Otherwise, if the system is compromised, the system fails the test and the penetration tester reports on the findings and on how to secure the system.
Legal Issues
Always ensure before performing any kind of penetration test that you have a legal document drafted by a lawyer stating that you have been given permission to perform such a test. Ensure that upper-level management of the organization asking you to do the penetration test sign the document. This is known as penetration testing authorization. You should also get authorization before performing a vulnerability scan—this is known as vulnerability testing authorization.
Types of Testing
- Blackbox test
- White box test
- Gray box test
Black box test
When performing a black box test, or hiring a pentester
(penetration tester) to do a black box test, the goal is to give the tester no information on the organization or its network configuration. The tester will have to act as a hacker and discover the details of the organization and its configuration on their own and then simulate the
attacks. This type of test would take the longest because the tester has to figure out what assets you have before trying to compromise them.
White box test
With a white box test, you, or the consultants you hire
to do the test, are given all the details about the organization’s assets and configuration. In this type of test, the goal is to see if the systems can be compromised. Although this type of test is quicker than the black box test, it does not give you any idea of how easy or hard it may be for someone to discover information about your organization.
Gray box test
A gray box test is in the middle; the tester gets some
details about the organization and its configuration, but only limited details. For example, the tester may get a list of IP addresses used by the organization and have to figure out what is running on those IP addresses and then simulate an attack.
Baseline Reporting
Baseline reporting involves capturing a baseline of the system—what the system looks like under normal working conditions—and then comparing that baseline to performance data. Baseline reporting is typically used in security incidents that involve a denial of service or malware incident in which the system is not performing to expectations.
Code Review
Being a bit of a programmer, I hate to say it, but most security problems result from developers creating applications in an unsecured way. For example, it is a critical rule of secure coding to ensure that you validate any data sent to the application because if you do not, a hacker could perform an SQL injection attack or a buffer overflow attack. Take time to ensure that regular code reviews of the software developed in house are performed. Have a specific security tester go through all the application code that your developers write and look for mistakes in the code that could cause a security issue.
Attack Surface
Attack surface refers to the software and services running on a system.
