Chapter 15 Flashcards
Security assessment program
- Security testing - verifies controls are performing as expected; can be automated; for internal use and reporting
- Security assessment - review security of system or env via risk assessment; for internal use and reporting; NIST (800-53A) specified assessment objects:
- Spec and requirements
- Mechanisms or controls
- Activities
- People - Security audit - similar to assessment but by independent party (auditor); evaluation for demonstrating effectiveness to 3rd party
Security Audit
- Internal Audit - internal staff and for internal consumption
- External Audit - external hired by org but not controlled by org
- Third-party Audit - hired by another org; not controlled by org
Standard:
SOC 1 - financial reporting
SOC 2 - evaluate CIA; only disclose externally with NDA
SOC 3 - evaluate CIA; for public disclosure
Reports:
Type I - document review only
Type II - auditors actually test controls
Standard Assessment and Audit frameworks
COBIT
ISO 27001
Describing vulnerabilities
SCAP (Security Content Automation Protocol) by NIST; elements include:
- CVE - description
- CVSS - scoring system
- CCE - config enumeration
- CPE - platform enumeration; OS, app, dev
- XCCDF (Extensible Config Checklist Description Format) - language for security checklist exchange
- OVAL (Open Vulnerability Assessment Language) - language for security testing procs
Vulnerability Scanning
4 categories:
- Network Discovery Scan - ports only; nmap
- Network Vulnerability Scan - go beyond port scan
- Web Vulnerability Scan
- DB Vulnerability Scan - e.g. sqlmap
Network Discovery Scan
Identify open ports
- TCP SYN scan - half open
- TCP Connect scan - full connection
- TCP ACK scan - test firewall
- UDP scan
- Xmas scan - all flags set
Nmap tool:
- Open, closed, filtered, unfiltered, open|filtered
Vulnerability mgmt workflow
- Detection - via scan
- Validation - verify is not false report
- Remediation - apply patch, etc.
Penetration Testing
Phases as per NIST:
1. Prepare
2. Discovery
3. Attack
4. Report
Use MetaSploit
White-box testing - known env
Black-box testing - unknown env
Gray-box testing - partially known env
BAS (Breach and Attack Simulation)
Test security controls, such as placing a suspicious file on server to trigger control mechanism
Combines blue and red team techniques
Code Review
Fagan inspections - formal process:
1. Planning
2. Overview
3. Preparation
4. Inspection
5. Rework - back to Planning
6. Follow-up
Static Testing
Source code analysis, using automation tools
Dynamic Testing
Involves actual testing
- Synthetic transactions - scripted transactions w/ known expected results
- Benchmarks - involves performance metrics
Fuzz testing - injects invalid, malformed, or unexpected inputs; e.g. bit flipping using zzuf tool
- Mutation/Dumb fuzzing - modify valid input to create
- Generational/Intelligent fuzzing - use data model to create
Interface Testing
API
User interfaces
Network interfaces
Physical interfaces
Misuse case testing or abuse case testing
Test Coverage
Typical formula:
use cases tested / total use cases * 100
But can also use:
- branch coverage
- condition coverage
- function coverage
- loop coverage
- statements coverage
Penetration testing teams
Red team - attacker
Blue team - defend
White team - observe and judge
Purple team - red + blue for post test lessons learned
Other security mgmt processes:
- Log reviews
- Account reviews
- Backups verification
- Training & Awareness
- Monitor KPI and risk indicatiors
Website monitoring
Passive monitoring - capture traffic for monitoring; one type is Real User Monitoring (RUM)
Synthetic monitoring (active monitoring) - inject synthetic transactions to monitor performance
