Chapter 15 - Security Assessment and Testing Flashcards
Who is the intended audience for a security assessment report?
Security assessment reports should be addressed to the organization’s management. For this reason, they should be written in plain English and avoid technical jargon.
What type of network discovery scan only follows the first two steps of the TCP handshake?
TCP SYN scan. It sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way handshake and that the port is open. TCP SYN scanning is also known as “half-open” scanning.
Web application scanning frequency requirement by PCI DSS
PCI DSS requires that organization either perform web application vulnerability scans at least annually or that they install dedicated web application firewalls to add additional layers of protection against web vulnerabilities.
What information security management task ensures that the organization’s data protection requirements are met effectively?
The backup verification process ensures that backups are running properly and thus meeting the organization’s data protection objectives.
Penetration test process
Performing basic reconnaissance to determine system function (such as visiting websites hosted on the system)
Network discovery scans to identify open ports
Network vulnerability scans to identify unpatched vulnerabilities
Web application vulnerability scans to identify web application flaws
Use of exploit tools to automatically attempt to defeat the system security Manual probing and attack attempts
Why social engineering is difficult to counter
- There is no single hardware or software solution to solve the issue.
- Policy depends on users following the policy.
- It is difficult to detect social engineering or differentiate routine user behavior with behavior motivated by an external actor.
Type of network-based vulnerability assessment
A network-based vulnerability assessment tool/system either re-enacts system attacks, noting and recording responses to the attacks, or probes different targets to infer weaknesses from their responses.
What kind of data test environment should use?
Test environment using sanitized live workloads data.
The best way to properly verify an application or system during a stress test would be to expose it to “live” data that has been sanitized to avoid exposing any sensitive information or Personally Identifiable Data (PII) while in a testing environment.
Fabricated test data may not be as varied, complex or computationally demanding as “live” data. A production environment should never be used to test a product, as a production environment is one where the application or system is being put to commercial or operational use. It is a best practice to perform testing in a non-production environment.
Stress testing is carried out to ensure a system can cope with production workloads, but as it may be tested to destruction, a test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a production environment. If only test data is used, there is no certainty that the system was adequately stress tested.
Blind Testing
Blind Testing refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target. Such a testing is expensive, since the penetration tester has to research the target and profile it based on publicly available information.
Change management process sequence
Request a change, approve, document, test, implement, report
Syslog
Syslog, the most widely used logging subsystem, by default transmits log data in plaintext over UDP/514 when sending data to a remote server. UDP, a transport protocol that does not guarantee the delivery of transmissions, has implications for ensuring the continuity of logging.
This means that the central log server might not have received all the log data, even though the endpoint has no facility for knowing that it failed to be delivered successfully.
The plaintext nature of Syslog means that a suitably positioned adversary could see the (potentially sensitive) log data as it traverses the network. Syslog messages may also be spoofed due to the lack of authentication, lack of encryption, and use of UDP as the layer 4 transport protocol.
Security assessment
Security assessments are a holistic approach to assessing the effectiveness of access control. Instead of looking narrowly at penetration tests or vulnerability assessments, security assessments have a broader scope.