Chapter 15 Security Assessment and Testing Flashcards
What is NIST 800-3A?
Reference for building effective assessment plans. Four recommended components:
–Specifications are the documents associated with the system being audited. Include policies, procedures, requirements, specifications, and designs
–Mechanisms are the controls used within an information system to meet the specifications. May be based in hardware, software, and hardware
–Activities are the actions carried out by people within an information system, such as performing backups, exporting log files, or reviewing account histories
–Individuals are the people who implement specifications, mechanisms, and activities
What are security assessments?
Comprehensive reviews of the security of a system, application, or other tested environment. A trained information security professional performs a risk assessment that identifies vulnerabilities in the environment and makes recommendations for remediations. They normally include the use of testing tools but also include a thoughtful review of the threat environment, current and future risks, and the value of the targeted environment. Can be done by an internal team or outsourced.
What are Security audits?
Use many of the same techniques followed during security assessments but must be performed by independent auditors. Assessment and testing results are meant for internal use only and are designed to evaluate controls an eye toward finding potential improvements. Audits are performed with the purpose of demonstrating the effectiveness of controls to a third party. The audience may be the board of directors, government regulators, and other third parties.
What are the main auditing standards?
Team performing an audit should be clear on what standard they are using.
A common one for audits is the Control Objectives for Information and Related Technologies (COBIT). It describes common requirements that organizations should have in place for information systems. ISACA maintains COBIT.
ISO also publishes standards. ISO 27001 is a standard approach for setting up an information management system, and ISO 27002 goes into more detail on the specifics.
How does NIST describe vulnerabilities?
NIST has the Security Content Automation Protocol (SCAP) to provide a common framework for discussing vulnerabilities:
–Common Vulnerabilities and Exposures (CVE) provides a naming system
–Common Vulnerability Scoring System (CVSS) provides a standardized scoring system
–Common Configuration Environment (CCE) provides a naming system for system configuration issues
–Common Platform Environment (CPE) provides a naming system for operating systems, applications, and devices
–Extensible Configuration Checklist Description Format (XCCDF) provides a language for specifying security checklists
–Open Vulnerability and Assessment Language (OVAL) provides a language for describing security testing procedures
What is banner grabbing?
Opens a connection to the service and reads the details on the welcome page to assist with version fingerprinting.
What ports should you know?
“FTP: 20,21
SSH: 22
Telnet: 23
SMTP: 25
DNS: 53
HTTP: 80
POP3: 110
NTP: 123
Windows File Sharing: 135, 137-139, 445
HTTPS: 443
LPR/LPD: 515 (printing)
SQL Server: 1433/1434
Oracle: 1521
H.323: 1720 (teleconferencing)
PPTP: 1723
RDP: 3389
HP JetDirect: 9100”
What is the difference between a network and a web vulnerability scanner?
Both network and web vulnerability scans probe services on a server, but web scanners look deeper at web applications. Web scanners don’t look at non-Web services.
When should you run web vulnerability scans?
Scans should be run:
–whenever you start scanning for the first time
–any new application before moving into production
–any modified application before moving into production
–on a recurring basis
What is a common database scanner?
SQLMap
What is a common network vulnerability scanner?
OpenVAS
What is the vulnerability management workflow?
Workflow approach for managing vulnerabilities.
–Detection: initial identification of a vulnerability
–Validation: administrators should confirm the vulnerability exists
–Remediation: Could include applying a vendor-supplied patch, modifying a device configuration, implementing a work-around, or installing a web application firewall or other control
How should code review work?
AKA peer review. Developers other than the one who wrote the code look for defects. Either results in approval to move to production or it is sent back to the developer for more work. Can take many forms; the most formal is known as Fagan and has six steps:
–Planning
–Overview
–Preparation
–Inspection
–Rework
–Follow-up
Fagan is usually found only in highly restrictive environments where failure can have catastrophic results. Most environments have developers walk through code in a meeting. A senior developer may perform manual code review; others use automated review tools. should be a process in place.
What is fuzz testing?
Specialized dynamic testing that provides different inputs to stress its limits and find undetected flaws. Supplies invalid input and looks for crashes, buffer overflows, etc. Two categories:
–Mutation (dumb) fuzzing: Takes previous input values from actual operation of the software and manipulates it to create fuzzed content. For example, alter characters, add strings, etc
–Generational (intelligent) fuzzing: Develops data models and creates new input based on the data the program uses
The zzuf tool automates mutation fuzzing.
Slightly manipulating the input is AKA bit flipping.
It is an important tool, but limited to detecting simple vulnerabilities. Should be used with other testing.
What is interface testing?
Multiple teams of developers may work on a complex application. Interface testing assesses the performance of the different modules to see they will work together properly. There are three types of interfaces that should be tested:
–APIs: Offer a standardized way for code modules to interact
–User Interfaces (UIs): Includes GUI and command line.
–Physical interfaces exist in some applications to manipulate machinery, logic controllers, etc.