Domain 6 Flashcards
Information Security Assesment
Information Security Assesment is the process of determinig how effectively the entity being evaluated meets specific security criteria (assirance).
Examination
Examination (E) is the process of interviewing, reviewing, inspecting, studying, and observing to facilitite understaing comparing to standards or baselines, or to obtain evidence.
Examinations are used to determine if the assessment object is properly documented and to gain operational insight regarding effectiveness, suitability and survivability.
Examination properties
- Examination generally focus the policies, standards, baselines, procedures, plans, programs, configuration, settings, output, and reports.
- Examinations are considered a passive activity with minimal (if any) anticipated operational impact.
Testing
Testing is used to identify vulnerabilities (weakness), substantiate strentghs, and predict the likelihood of exploitation.
- Testing techniques may include vulnerability assessments, penetration testing, password cracking, and social engineering as well as incident response and disaster response/business continuity exercises.
- Testing can be intrusive and can have an opeational impact.
Rules of Engagement (ROE)
Rules of Engagement (ROE) document details the parameters and expected assesor conduct of the assessment (exam-test).
Rules of Engagement (ROE) Components
ROE components include:
- Scope
- Level of expertise / methodology
- Data Handling requirements
- Reporting expectations
- Assesor responsabilities.
- Legal Considerations.
Rules of Engagement (ROE) Component: Scope
Seleccion of assesment objects are influenced by system criticality, information sensitivity, regulatory requirements, and contractual obligations.
- Size of the system being assesed.
- Complexity of the environment.
- Feasibility of sampling.
Rules of Engagement (ROE) Component: Sampling
Sampling is used to infer characteristics about a population based upon the characteristics of a sample.
- Evidence sampling is applying a procedure to less than 100% of the population.
- Sampling risk is where the assessor’s conclusion is based on a sample that might be different if they examined or tested the entire population.
Sampling Techniques.
- Statistical Sampling
- Non-statistical Sampling
- Block Sampling
Statistical Sampling
A objective method for determining sample size and selection criteria.
- Each item should have a equal probability of selection.
Non-statistical Sampling
A subjective method of determinig which items are the most materail, relevant and/or risky.
- Included items are based on professional judgement.
Block Sampling
All Items in a selected time period, numerical sequence, or alphabetical sequence.
Rules of Engagement (ROE) Component: Logistics
Logisitcal considerations include location, timing, and notification.
Rules of Engagement (ROE) Component: Assesor Challanges
Security assessor ofter face technical, operational, and political challanges.
- Resistance from business owners, system, and network administrators, and end users.
- Re-assessment fixes.
- In-the- moment mitigation.
- Restricted time windows.
- Evolving Technology.
- Teisk of operational impact.
Rules of Engagement (ROE) Component: Legal Considerations
Legal conderations include authorization, liability, indemnification, nondisclosure, and privacy.
Documet that detailks the parameters of an assesment
Rules of Engagement (ROE)
Penetration Testing
The Objective of Penetration Testing is to evaluate the security of a target by identifying and attempting to exploit (actual or proof of concept) weakness in the target environment.
- Not to be confuresed with a vulnerability scan which looks for knonwn vulnerabilities in the target environment and reports potential exposures.
- Testing methodology can be manual, automated, or hibrid.
- Penetration testing ca be useful for determinig incident detection and response capabilities.
Penetration testing Approches
- Back Box (Blind)
- Double Blind
- Gray Box testing
- White Box (Targeted)
Back Box (Blind) Testing
Penetration testing team is not provided any details of the target environment.
Target personnel have knowledge of the test.
Double Blind
Penetration testing team is not provided any details of the target environment.
Target personnel gave knowledge of the test.
Gray Box Testing
Penetration testing team is provided limited information about the target environment .
Target personnel have knowledge of the test.
White Box (Targeted)
Both the penetration testing team and target personnel are knowledgeable and work in concert.
More efficient testing method.
The final report may have impact.
Penetration Test Phases
- Passive Reconnaissance
- Active Reconnaissance
- Attack Planning
- Attack and Exploitation
- Reporting.
- Remediation and Retesting
Exploitation
Exploitation is the stage where the testers exploit target systems to compromise them. Depending upon the ROE, this pahse may be undertalen as “proof of concept” or actual exploit.
- Persistence is the act of installing or modifying services, installing malware or rootkits, creating backdoors, and/or creating accounts that will survive reboots.
Exploitation
Exploitation is the stage where the testers exploit target systems to compromise them. depending upon the ROE, this phase may be undertaken as “proof of concept” or actual exploit.
Persistance
Persistance is the act of installing modifying services, installing malware or rootkits, creating backdoors, and /or creating accounts that will survive reboots.
Pivoting
Pivoting is the act of using a weakness on one system to access a better protected system.
Escalation of Privilege
Escalation of Privilege is the act of exploting a vulnerability to gain elevated access to a resource.
Reporting
Penetration test reports should include vulnerability findings, exploit activities, and recommendations for mitigation.
- Vulnerability findings should be categorized and referenced appropriately with CVE notation.
- Exploit activities should be documented with enough details so that they are reproducible.
- Mitigation recommendations should be prioritized and as applicable, incliude risl reduction and security enhancement recommendations.
Pen Test Result Evaluation
- Scope: What Systems and devices are in scope?
- Frequency: How often is the test conducted?
- Stage: What is the stage of the target environment?
- Type: Was the testing manual or automated?
- Qualifications: What are the qualifications of the tester?
- Rating Scale: What rating scale are they using - propietary, open source, government?
- Results: How comprehensive are the results? Howclearly are they presented?
- Remediation Plan: Are remediation actions documented? Is enough information presented so that the findings can be replicated?
Red Team | Blue Team Simulation Exercises
Red Team | Blue Team Simulation Exercises are designated to simulate an attack and evaluate response and preparedness.
Red Team
External entities that emaulate the behaviours and techniques of likely attackers.
Blue Team
Internal security team (defenders)
Purple Team
Independent third party the monitors both teams in real-time, evaluates inactivity, if applicable, facilitates communications, and recommends enhancements.
Fagan Inspection
- Planning
- Overview
- Preparation
- Inspection
- Rework
- Follow-up
