Chapter 15- Security Assessment and Testing Flashcards
- What is security testing?
Security Tests verify that a control is working properly.
- What is testing strategy?
Testing strategy may involve frequent automated tests supplemented by infrequent manual tests.
- What is Security Assessment?
Security Assessment is a comprehensive review of a security system, application or tested environment.
• They also include a thoughtful review of the threat environment, current and future risks, and the value of the targeted environment
- NIST 800-53A assessments include 4 components, list them:
specifications: i.e. documents associated with the systems being audited.
• Mechanisms: are controls used within an information system to meet the specifications.
• Activities: are actions carried out by people within an information system.
• Individuals: are people who implement specifications, mechanisms and activities
- What Are security audits?
Security Audits are evaluations performed with the purpose of demonstrating the effectiveness of controls to a third party.
• Security audits use many of the same techniques followed during security assessments but must be performed by independent auditors.
- There are three main types of audits:
internal audits, external audits, and third-party audits.
- What is internal audit?
Internal audit is performed by an organisation’s internal staff and are typically intended for internal audiences.
- What is external audit?
external audit is performed by an outside auditing firm. These audits have a high degree of external validity because the auditors performing the assessments theoretically have no conflict of interest with the organisation itself. e.g PWc
- What are Third Party Audits?
Third Party Audits are conducted by or on behalf of another organisation.
- SSAE 16 means:
Statement on Standards for Attestation Engagements document 16.
- Statement on Standards for Attestation Engagements document 16 (SSAE 16) engagements produce 2 types of reports:
- Type I reports provide a description of the controls provided by the audited organisation as well as the auditor’s opinion based upon that description. Type I audits cover a single point in time and do not involve actual testing of the controls by the auditor.
- Type II reports cover a minimum of 6months period and also include an opinion from the auditor on the effectiveness of those controls based upon actual testing performed by the auditor.
- List 2 auditing standards:
International Organisation for Standards (ISO) and Control Objectives for Information and related Technology (COBIT)
- SCAP means
Security Content Automation Protocol
- List and describe the components of Security Content Automation Protocol (SCAP)-
- Common Vulnerabilities and Exposures (CVE): Provides a naming system for describing security vulnerabilities
- Common Vulnerability Scoring System (CVSS): provides a standardised scoring system for describing the severity of vulnerabilities.
- Common Configuration Enumeration (CCE): naming convention for system configuration issues.
- Common Platform Enumeration (CPE): naming system for operating systems, applications and devices.
- Extensible Configuration Checklist Description Format (XCCDF): provides a language for specifying security checklists
- Open Vulnerability and Assessment Language (OVAL): provide a language for describing security testing procedures
- What is vulnerability Scan?
Vulnerability scans automatically probe systems, applications and networks for weaknesses that may be exploited by an attacker.
- List 4 types of vulnerability scans:
network discovery scans, network vulnerability scans, web application vulnerability scans and database vulnerability scans
- Describe Network Discovery Scanning:
Network Discovery Scanning uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports.
- List methods used by network scanners to identify open ports on remote systems:
- TCP SYN Scanning
- TCP Connect Scanning
- TCP ACK Scanning
- Xmas Scanning
- What is TCP SYN Scanning?
Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as “half-open” scanning
- What is TCP Connect Scanning?
Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
- What is TCP ACK Scanning?
Sends a packet with the ACK flag set, indicating that it is part of an open connection. This type of scan may be done in an attempt to determine the rules enforced by a firewall and the firewall methodology.
- What is Xmas Scanning?
Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be “lit up like a Christmas tree,” leading to the scan’s name.
The most common tool used for network discovery scanning is an open-source tool called______________:
nmap
- What is nmap open status?
the port is open on the remote system and there is an application that is actively accepting connections on that port.
- What is nmap closed status?
the port is accessible on remote system, firewall is allowing access but there is no application accepting connections on that port.
- What is Nmap Filtered status?
Nmap is unable to determine if the port is open or closed because a firewall is interfering with the connection attempt
- What is false positive in vulnerability scanning?
False positive reports a vulnerability when there is really no problem.
- what is false negative in vulnerability scanning?
False negative occurs when a vulnerability scanner fails to alert the administrators to the presence of a dangerous situation. Note: By default, network vulnerability scanners run unauthenticated scans
- What are Authenticated Scans?
Authenticated Scans improves the accuracy of scanning and reduce false negatives or positives. The scanner has read-only access to the scanner being scanned and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing results.
An authenticated scan is an essential tool to obtain accurate vulnerability information on covered devices by authenticating to scanned devices to obtain detailed and accurate information about the operating system and installed software, including configuration issues and missing security patches.