CISSP ch 15 Flashcards
Security tests
verify that a control is functioning properly
Security assessments
comprehensive reviews of the security of a system, application or other tested environment
Identifies vulnerabilities in the tested environment. does not usually include actual mitigation of those vulnerabilities
Thoughtful review of the threat environment, current and future risks, and the value of the targeted environment
hould be addressed to the organization’s management
NIST SP 800-53A
Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans = best practices in conduct security and privacy assessments
Specifications (NIST SP 800-53A)
documents associated with the system being audited (e.g., policies, procedures, requirements and designs)
Mechanisms (NIST SP 800-53A)
controls used within an information system to meet the specifications
Activities (NIST SP 800-53A)
actions carried out by people within an information system
Individuals (NIST SP 800-53A)
people who implement specifications, mechanisms and activities
Security audits
use many of the same techniques followed during security assessments but must be performed by independent auditors
Less routine than tests or assessments
Purpose of demonstrating the effectiveness of controls to a third party (as opposed to purely internal distribution)
Internal audits
performed by an organization’s internal audit staff and are typically intended for internal audiences
Reporting line that is completely independent of the functions they evaluate
CAE
Chief Auditing Executive = may have reporting responsibility directly to the organization’s governing board
SSAE 18
Statement on Standards for Attestation Engagements, document 18 ‘Reporting on Controls’ (produced by the American Institute of Certified Public Accountants / AICPA)
Provides a common standard to be used by auditors performing assessments of service organizations with the intent of allowing the organization to conduct an external assessment instead of multiple third-party assessments and then sharing the resulting report with cutomers and potential customers
ISAE 3402
International Standard for Attestation Engagements 3402 ‘Assurance Reports on Controls at a Service Organization’ = SSAE 18 equivalent used outside of U.S.
SOC aduits
Service organization controls audit = SSAE 18 and ISAE 3402
SOC 1 engagements
asses the organization’s controls that might impact the accuracy of financial reporting
SOC 2 engagements
Assess the organization’s controls that affect the security (confidentiality, integrity and availability) and privacy of information stored in a system
SOC 2 audit results are confidential and normally are only shared outside the organization under and NDA
SOC 3 Engagements
Assess the organization’s controls that affect the security (confidentiality, integrity and availability) and privacy of information stored in a system
SOC 3 audit results are intended for public disclosure
Type I Reports
provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls
Cover only a specific point in time, rather than an extended period
More of a documentation review
Type II reports
provide the auditor’s opinion on the operating effectiveness of the controls
The auditor actually confirms that the controls are functioning properly
Covers an extended period of time, at least six months of operation
COBIT
Control Objectives for Information and Related Technologies, maintained by ISACA
Common framework for conducting audits and assessments
Describes the common requirements that organizations should have in place surrounding their information systems
ISO 27001
standard approach for setting up an information security management system
ISO 27002
goes into more detail on the specifics of information security controls
SCAP
NIST’s Security Content Automation Protocol = common framework for describing and evaluating vulnerabilities, and facilitates the automation of interactions between different security systems
CVE (SCAP)
Common Vulnerabilities and Exposures = naming system for describing security vulnerabilities
CVSS (SCAP)
Common Vulnerability Scoring System = standardized scoring system for describing the severity of security vulnerabilities
CCE (SCAP)
Common Configuration Enumeration = naming system for systems configuration issues
CPE (SCAP)
Common Platform Enumeration = naming system for operating systems, applications and devices
XCCDF (SCAP)
Extensible Configuration Checklist Description Format = language for specifying security checklists
OVAL (SCAP)
Open Vulnerability and Assessment Language = language for describing security testing procedures
Vulnerability scans
automatically probe systems, applications and networks looking for weaknesses that may be exploited by an attacker
Network discovery scanning
variety of techniques to scan a range of IP addresses, searching for systems with open network ports
TCP SYN Scanning = half-open scanning (network discovery)
Sends a single packet to each scanned port with the SYN flag set, indicating a request to open a new connection
If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open
TCP Connect Scanning (network discovery)
Opens a full connection to the remote system on the specified port
Used when the user running the scan does not have the necessary permissions to run a half-open scan (i.e., user cannot send hand-crafted packets)
TCP ACK Scanning (network discovery)
Sends a packet with the ACK flag set, indicating that it is part of an open connection
May be done in an attempt to determine the rules enforced by a firewall and the firewall methodology
UDP scanning (network discovery)
Performs a scan of the remote system using the UDP protocol, checking for active UDP services
Does not use the three way handshake, because UDP is a connectionless protocol
Xmas scanning (network discovery)
Sends a packet with the FIN, PSH and URG flags set
A packet with so many flags is said to be ‘lit up like a Christmas tree’
nmap
most common tool used for network discovery scanning = provides the current status of ports
Open (nmap)
the port is open on the remote system and there is an application that is actively accepting connections on that port
Closed (nmap)
the port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port
Filtered (nmap)
Nmap is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt
Banner grabbing
technique used by port scanners, network vulnerability scanners and web vulnerability scanners to identify the variant and version of a service running on a service
Opens a connection to the service and reads the details provided on the welcome screen or banner to assist with version fingerprinting
netstat command
useful tool for examining the active ports on a system = lists all active network connections on a system as well as those ports that are open and awaiting new connections
network vulnerability scans
go deeper than discovery scans, don’t stop at detecting open ports but continue to probe a targeted system or network for the presence of known vulnerabilities
These tools contain databases of thousands of known vulnerabilities along with tests they can perform to identify whether a system is susceptible to each vulnerability in the system’s database
Authenticated scans
scanner has read-only access to the servers being scanned and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing results
TCP Port 20
FTP file transfer protocol
TCP Port 22
SSH secure shell
TCP Port 23
Telnet (remote access)
TCP Port 25
SMTP (unencrypted mail)
TCP Port 53
DNS domain name system (domain name to IP address)
TCP Port 80
HTTP (unencrypted)
TCP Port 110
POP3 (email retrieval)
TCP Port 123
NTP network time protocol, time synchronization
TCP Port 21
FTP file transfer protocol
TCP Port 135
Windows File Sharing
TCP port 137
Windows File Sharing
TCP port 138
Windows File Sharing
TCP port 139
Windows File Sharing
TCP port 445
Windows File Sharing
TCP port 443
HTTPS
TCP port 515
LPR/LPD (printing)
TCP port 1433
Microsoft SQL Server
TCP port 1434
Microsoft SQL Server
TCP port 1521
Oracle
TCP port 1720
H.323 (VoIP)
TCP port 1723
PPTP (point to point tunneling, VPN)
TCP port 3389
RDP remote desktop protocol
TCP port 9100
HP JetDirect printing
OpenVAS
open source vulnerability scanner
Sqlmap
a commonly used open source database vulnerability scanner
Penetration testing
goes beyond vulnerability testing techniques and actually attempts to exploit systems = Try to defeat security controls and break into a targeted system or application to demonstrate the flaw
Metasploit framework
tool commonly used by penetration testers to automatically execute exploits against targeted systems
White-box penetration test
known environment tests
provides the attackers with detailed information about the systems they target, bypassing many of the reconnaissance steps, shortening the time of the attack and increasing the likelihood of finding security flaws
gray-box penetration test
partial knowledge tests = partially known environment tests
particularly common when black-box results are desired but costs or time constraints mean that some knowledge is needed to complete the testing
black-box penetration test
unknown environment tests
does not provide attackers with any information prior to the attack
simulates an external attacker trying to gain access to information about the business and technical environment before engaging in an attack
BAS platforms
breach and attack simulation platforms = seek to automate some aspects of penetration testing
NIST 800-115
industry standard penetrating testing methodology
OSSTMM
Open Source Security Testing Methodology Manual
industry standard penetrating testing methodology
compliance checks
verify that all of the controls listed in a compliance plan are functioning properly and are effectively meeting regulatory requirements
exception handling
process of handling unexpected activity (e.g., invalid input, improperly sequenced activity)
code review / peer review
where developers other than the one who wrote the code review it for defects
Fagan inspections
most formal code review processes
Planning
Overview
Preparation
Inspection
Rework
Follow-up
SAST
static application security testing = evaluates the security of software without running it by analyzing either the source code or the compiled application
Involves the use of au
DAST
dynamic application security testing = evaluated the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else
Testers often do not have access to the underlying source code
E.g., use of web application scanning tools to detect the presence of cross-site scripting, SQL injection or other flaws in web applications
May include the use of synthetic transactions (i.e., scripted transactions with known expected results); testers run synthetic transactions against the tested code and then compare the output of the transactions to the expected state
IAST
Interactive application security testing = performs real-time analysis of runtime behavior, application performance, HTTP/HTTPS traffic, frameworks, components and background connections
RASP
Runtime Application Self-Protection = a tool that runs on a server and intercepts calls to and from an application and validates data requests
fuzz testing
a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws = Supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities
Mutation (dumb) fuzzing
Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input
Might alter the characters of the content, append strings to the end of the content or perform other data manipulation techniques
generational (intelligent) fuzzing
Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program
zzuf tool
automates the process of mutation fuzzing by manipulating input according to user specifications
bit flipping
changing text so that it is almost identical to the original text, but with a modified bit (1 changed to 0)
interface testing
assesses the performance of separately developed modules against the interface specifications to ensure that they will work together properly when all the development efforts are complete
APIs
Application Programming Interfaces
Offer a standardized way for code modules to interact and may be exposed to the outside world through web services
Must be tested to ensure that they enforce all security requirements
UIs
User Interfaces
E.g., GUIs (graphic user interfaces) and command-line interfaces
Provide end users with the ability to interact with the software
test coverage analysis
used to estimate the degree of testing conducted against the new software
test coverage = number of use cases tested / total number of uses cases
A highly subjective calculation
branch coverage (test coverage analysis)
Has every ‘if’ statement been executed under all ‘if’ and ‘else’ conditions?
condition coverage (test coverage analysis)
Has every logical test in the code been executed under all sets of inputs?
function coverage (test coverage analysis)
Has every function in the code been called and returned results?
loop coverage (test coverage analysis)
Has every loop in the code been executed under conditions that cause code execution multiple times, only once, and not at all?
statement coverage (test coverage analysis)
Has every line of code been executed during the test?
passive website monitoring
Analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server
Provides real-world monitoring data that gives administrators insight into what is actually happening on a network
RUM (website monitoring)
real user monitoring = a variant of passive monitoring where the monitoring tool reassembles the activity of individual users to track their interaction with a website
active website monitoring / synthetic monitoring
Performs artificial transactions against a website to assess performance
SIEM packages
security information and event management packages = automate much of the routine work of log review
syslog functionality
present in many devices, operating systems and applications = used by SIEM packages to collect information
Windows’ GPOs
Group Policy Objects = mechanism that can deploy and enforce standard policies through the organization = can deploy a logging policy
NetFlow logs
network flow logs that provide records of the connections between systems and the amount of data transferred = particularly useful when investigating security incidents