Domain 6. Chapter 15

Question 1

Domain 6 Security Assessment and Testing
1. Three major components of a security assessment program:
1.1 Security tests
1.2 Security assessments
1.3 Security audits

Question 2

1.1 Security tests
Security tests verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security.
When scheduling security controls for review, information security managers should consider the following factors:

• Availability of security testing resources
• Criticality of the systems and applications protected by the tested controls
• Sensitivity of information contained on tested systems and applications
• Likelihood of a technical failure of the mechanism implementing the control
• Likelihood of a misconfiguration of the control that would jeopardize security
• Risk that the system will come under attack
• Rate of change of the control configuration
• Other changes in the technical environment that may affect the control performance
• Difficulty and time required to perform a control test
• Impact of the test on normal business operations

Experimentation with new tools is fine, but security testing programs should be carefully designed and include rigorous, routine testing of systems using a risk-prioritized approach.

Answer 2

Тесты безопасности проверяют, что элемент управления работает правильно. Эти тесты включают автоматическое сканирование, тесты на проникновение с помощью инструментов и ручные попытки подорвать безопасность.
При планировании проверки мер безопасности менеджеры по информационной безопасности должны учитывать следующие факторы: Доступность ресурсов для тестирования безопасности Критичность систем и приложений, защищаемых протестированными средствами управления Чувствительность информации, содержащейся в тестируемых системах и приложениях. Вероятность технического отказа механизма, реализующего контроль Вероятность неправильной настройки элемента управления, которая поставит под угрозу безопасность. Риск того, что система подвергнется атаке Скорость изменения конфигурации управления Другие изменения в технической среде, которые могут повлиять на эффективность контроля. Сложность и время, необходимое для выполнения контрольного теста Влияние теста на нормальную бизнес-операцию

Question 3

1.2 Security assessments
Security assessments are comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.
NIST Special Publication 800-53A: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans.

Under NIST 800-53A, assessments include four components:

1. Specifications are the documents associated with the system being audited. Specifications generally include policies, procedures, requirements, specifications, and designs.
2. Mechanisms are the controls used within an information system to meet the specifications.
   Mechanisms may be based in hardware, software, or firmware.
3. Activities are the actions carried out by people within an information system. These may include performing backups, exporting log files, or reviewing account histories.
4. Individuals are the people who implement specifications, mechanisms, and activities.

Question 4

1.3 Security audits
Security audits use many of the same techniques followed during security assessments but must be performed by independent auditors.

Assessment and testing results are meant for internal use only and are designed to evaluate controls with an eye toward finding potential improvements. Audits, on the other hand, are evaluations performed with the purpose of demonstrating the effectiveness of controls to a third party.

Auditors provide an impartial, unbiased view of the state of security controls. They write reports that are quite similar to security assessment reports, but those reports are intended for different audiences that may include an organization’s board of directors, government regulators, and other third parties.
There are three main types of audits:
1.3.1 internal audits,
1.3.2 external audits,
1.3.3 and third-party audits.

Answer 4

Аудиторы обеспечивают беспристрастное и непредвзятое мнение о состоянии мер безопасности. Они пишут отчеты, которые очень похожи на отчеты об оценке безопасности, но эти отчеты предназначены для различной аудитории, которая может включать совет директоров организации, государственные регулирующие органы и другие третьи стороны. Существует три основных типа аудита: внутренний аудит, внешний аудит и аудит третьей стороны.

Question 5

1.3.1 Internal audits
Internal audits are performed by an organization’s internal audit staff and are typically intended for internal audiences. The internal audit staff performing these audits normally have a reporting line that is completely independent of the functions they evaluate. In many organizations, the chief audit executive reports directly to the president, chief executive officer (CEO), or similar role.

Question 6

1.3.2 External audits
External audits are performed by an outside auditing firm. These audits have a high degree of external validity because the auditors performing the assessment theoretically have no conflict of interest with the organization itself.
most large organizations use the so-called Big Four audit firms:

Ernst & Young
Deloitte
PricewaterhouseCoopers
KPMG

Question 7

1.3.3 Third-party audits
Third-party audits are conducted by, or on behalf of, another organization. For example, a regulatory body might have the authority to initiate an audit of a regulated firm under contract or law.
International Standard for Attestation Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization.

SSAE 18 and ISAE 3402 engagements are commonly referred to as service organization controls (SOC) audits, and they come in three forms:

• SOC 1 Engagements Assess the organization’s controls that might impact the accuracy of financial reporting.
• SOC 2 Engagements Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA.
• SOC 3 Engagements Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.

They differ in the scope of the opinion provided by the auditor:

• Type I Reports These reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls. Type I reports also cover only a specific point in time, rather than an extended period. You can think of the Type I report as more of a documentation review where the auditor is checking things out on paper and making sure that the controls described by management are reasonable and appropriate.
• Type II Reports These reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly. The Type II report also covers an extended period of time: at least six months of operation. You can think of the Type II report as more like a traditional audit. The auditors are not just checking the paperwork; they are also going in and verifying that the controls function properly.

Type II reports are considered much more reliable than Type I reports because they include independent testing of controls.

Question 8

1.3 Auditing Standards
- Control Objectives for Information and Related Technologies (COBIT). COBIT describes the common requirements that organizations should have in place surrounding their information systems. The COBIT framework is maintained by ISACA.
- ISO 27001 describes a standard approach for setting up an information security management system, and ISO 27002 goes into more detail on the specifics of information security controls.

Question 9

2. Vulnerability Assessments (part of 1.1 Security tests)
   Vulnerability scans and penetration tests provide security professionals with a perspective on the weaknesses in a system or application’s technical controls by identifying technical vulnerabilities that they contain. Vulnerabilities are weaknesses in systems and security controls that might be exploited by a threat.

Question 10

2.1 Describing Vulnerabilities
NIST provides the community with the Security Content Automation Protocol (SCAP).
The components of SCAP most directly related to vulnerability assessment include these:

• Common Vulnerabilities and Exposures (CVE) provides a naming system for describing security vulnerabilities.
• Common Vulnerability Scoring System (CVSS) provides a standardized scoring system for describing the severity of security vulnerabilities.
• Common Configuration Enumeration (CCE) provides a naming system for system configuration issues.
• Common Platform Enumeration (CPE) provides a naming system for operating systems, applications, and devices.
• Extensible Configuration Checklist Description Format (XCCDF) provides a language for specifying security checklists.
• Open Vulnerability and Assessment Language (OVAL) provides a language for describing security testing procedures.

Question 11

2.2 Vulnerability Scans
Vulnerability scans automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker. The scanning tools used in these tests provide quick, point-and-click tests that perform otherwise tedious tasks without requiring manual intervention.
There are four main categories of vulnerability scans:
2.2.1 network discovery scans,
2.2.2 network vulnerability scans,
2.2.3 web application vulnerability scans,
2.2.4 database vulnerability scans.

Question 12

2.2.1 Network Discovery Scanning
Network discovery scanning uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports.

Network discovery scanners use many different techniques to identify open ports on remote systems. Some of the more common techniques are as follows:
- TCP SYN Scanning Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as “half-open” scanning.
- TCP Connect Scanning Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan. Most other scan types require the ability to send raw packets, and a user may be restricted by the operating system from sending handcrafted packets.
- TCP ACK Scanning Sends a packet with the ACK flag set, indicating that it is part of an open connection. This type of scan may be done in an attempt to determine the rules enforced by a firewall and the firewall methodology.
- UDP Scanning Performs a scan of the remote system using the UDP protocol, checking for active UDP services. This scan type does not use the three-way handshake, because UDP is a connectionless protocol.
- Xmas Scanning Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be “lit up like a Christmas tree,” leading to the scan’s name.

Question 13

2.2.2 Network Vulnerability Scanning
Network vulnerability scans go deeper than discovery scans. They don’t stop with detecting open ports but continue on to probe a targeted system or network for the presence of known vulnerabilities.
By default, network vulnerability scanners run unauthenticated scans.
This allows the scan to run from the perspective of an attacker but also limits the ability of the scanner to fully evaluate possible vulnerabilities. One way to improve the accuracy of the scanning and reduce false positive and false negative reports is to perform authenticated scans of systems.
The Open Web Application Security Project (OWASP) maintains a comprehensive list at https://oiwasp.org/www-community/Vulnerability_Scanning_Tools. The open source OpenVAS scanner also has a growing community of users.

Question 14

2.2.2 Network Vulnerability Scanning
LEARNING TCP PORTS
Interpreting port scan results requires knowledge of some common TCP ports. Here are a few that you should commit to memory when preparing for the CISSP exam:

FTP: 20/21
SSH: 22
Telnet: 23
SMTP: 25
DNS: 53
HTTP: 80
POP3: 110
NTP: 123
Windows File Sharing: 135, 137–139, 445
HTTPS: 443
LPR/LPD: 515
Microsoft SQL Server: 1433/1434
Oracle: 1521
H.323: 1720
PPTP: 1723
RDP: 3389
HP JetDirect printing: 9100

Question 15

2.2.3 Web Vulnerability Scanning
Web vulnerability scanners are special-purpose tools that scour web applications for known vulnerabilities.
Do network vulnerability scans and web vulnerability scans sound similar? That’s because they are! Both probe services running on a server for known vulnerabilities. The difference is that network vulnerability scans generally don’t dive deep into the structure of web applications, whereas web application scans don’t look at services other than those supporting web services.

It’s a good practice to run scans in the following circumstances:

Scan all applications when you begin performing web vulnerability scanning for the first time. This will detect issues with legacy applications.
Scan any new application before moving it into a production environment for the first time.
Scan any modified application before the code changes move into production.
Scan all applications on a recurring basis. Limited resources may require scheduling these scans based on the priority of the application. For example, you may wish to scan web applications that interact with sensitive information more often than those that do not.
For example, the Payment Card Industry Data Security Standard (PCI DSS), discussed in Chapter 4, “Laws, Regulations, and Compliance,” requires that organizations either perform web application vulnerability scans at least annually or install dedicated web application firewalls to add additional layers of protection against web vulnerabilities.

Question 16

2.2.4 Database Vulnerability Scanning
Database vulnerability scanners are tools that allow security professionals to scan both databases and web applications for vulnerabilities that may affect database security. Sqlmap is a commonly used open source database vulnerability scanner that allows security administrators to probe web applications for database vulnerabilities.

Question 17

2.3 Vulnerability Management Workflow
Organizations that adopt a vulnerability management system should also develop a workflow approach to managing vulnerabilities. The basic steps in this workflow should include the following:

1. Detection: The initial identification of a vulnerability normally takes place as the result of a vulnerability scan.
2. Validation: Once a scanner detects a vulnerability, administrators should confirm the vulnerability to determine that it is not a false positive report.
3. Remediation: Validated vulnerabilities should then be remediated. This may include applying a vendor-supplied security patch, modifying a device configuration, implementing a workaround to avoid the vulnerability, or installing a web application firewall or other control that prevents the exploitation of the vulnerability.

Question 18

2.4 Penetration Testing
The penetration test goes beyond vulnerability testing techniques because it actually attempts to exploit systems. Vulnerability scans merely probe for the presence of a vulnerability and do not normally take offensive action against the targeted system. (That said, some vulnerability scanning techniques may disrupt a system, although these options are usually disabled by default.) Security professionals performing penetration tests, on the other hand, try to defeat security controls and break into a targeted system or application to demonstrate the flaw.

NIST defines the penetration testing process as consisting of the four phases illustrated in Figure 15.7:

• Planning includes agreement on the scope of the test and the rules of engagement.
• Information gathering and discovery uses manual and automated tools to collect information about the target environment. This includes performing basic reconnaissance to determine system function (such as visiting websites hosted on the system) and conducting network discovery scans to identify open ports.
• Attack seeks to use manual and automated exploit tools to attempt to defeat system security. This step is where penetration testing goes beyond vulnerability scanning, as vulnerability scans do not attempt to actually exploit detected vulnerabilities.
• Reporting summarizes the results of the penetration testing and makes recommendations for improvements to system security.

Penetration testers commonly use a tool called Metasploit Framework to automatically execute exploits against targeted systems.

Answer 18

Тест на проникновение выходит за рамки методов тестирования уязвимостей, поскольку он фактически пытается использовать системы. Сканирование уязвимостей просто исследует наличие уязвимости и обычно не предпринимает наступательных действий против целевой системы. (Тем не менее, некоторые методы сканирования уязвимостей могут нарушить работу системы, хотя эти параметры обычно отключены по умолчанию.) С другой стороны, специалисты по безопасности, выполняющие тесты на проникновение, пытаются обойти меры безопасности и взломать целевую систему или приложение, чтобы продемонстрировать недостаток.

• Планирование включает в себя согласование объема испытаний и правил проведения испытаний.
• Для сбора и обнаружения информации используются ручные и автоматизированные инструменты для сбора информации о целевой среде. Это включает в себя выполнение базовой разведки для определения функций системы (например, посещение веб-сайтов, размещенных в системе) и проведение сканирования сети для выявления открытых портов.
• Атака направлена ​​на использование ручных и автоматических инструментов эксплойта, чтобы попытаться обойти безопасность системы. На этом этапе тестирование на проникновение выходит за рамки сканирования уязвимостей, поскольку сканирование уязвимостей не пытается фактически использовать обнаруженные уязвимости.
• Отчет обобщает результаты тестирования на проникновение и дает рекомендации по улучшению безопасности системы.

Question 19

2.4 Penetration Testing
The tests are normally categorized into three groups:

• White-Box Penetration Test Provides the attackers with detailed information about the systems they target. This bypasses many of the reconnaissance steps that normally precede attacks, shortening the time of the attack and increasing the likelihood that it will find security flaws. These tests are sometimes called “known environment” tests.
• Gray-Box Penetration Test Also known as partial knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of white- and black-box penetration tests. This is particularly common when black-box results are desired but costs or time constraints mean that some knowledge is needed to complete the testing. These tests are sometimes called “partially known environment” tests.
• Black-Box Penetration Test Does not provide attackers with any information prior to the attack. This simulates an external attacker trying to gain access to information about the business and technical environment before engaging in an attack. These tests are sometimes called “unknown environment” tests.

There are many industry-standard penetration testing methodologies that make a good starting point when designing your own program. Consider using the OWASP Web Security Testing Guide, OSSTMM (Open Source Security Testing Methodology Manual), NIST 800-115, FedRAMP Penetration Test Guidance, or PCI DSS Information Supplement on Penetration Testing as references.

Question 20

2.5 Compliance Checks
Organizations find themselves subject to a wide variety of compliance requirements.
Compliance checks are an important part of security testing and assessment programs for regulated firms. These checks verify that all of the controls listed in a compliance plan are functioning properly and are effectively meeting regulatory requirements.

Answer 20

Проверки соответствия являются важной частью программ тестирования и оценки безопасности для регулируемых фирм. Эти проверки проверяют, что все средства контроля, перечисленные в плане соответствия, функционируют должным образом и эффективно соответствуют нормативным требованиям.

Question 21

3. Testing Your Software
   Software should be designed in a manner that considers the possible threats to these objectives and responds appropriately. One of the core design principles supporting this goal is that software should never depend on users behaving properly.
   This process of handling unexpected activity is known as exception handling.

Question 22

3.1 Static Testing
Static application security testing (SAST) evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.

Question 23

3.2 Dynamic Testing
Dynamic application security testing (DAST) evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. One common example of dynamic software testing is the use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications.
Dynamic testing may include the use of synthetic transactions to verify system performance. These are scripted transactions with known expected results.

Interactive application security testing (IAST) performs real-time analysis of runtime behavior, application performance, HTTP/HTTPS traffic, frameworks, components, and backend connections. Runtime Application Self-Protection (RASP) is a tool that runs on a server and intercepts calls to and from an application and validates data requests.

Question 24

3.3 Fuzz Testing
Fuzz testing is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities.

There are two main categories of fuzz testing:

Mutation (Dumb) Fuzzing Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.
Generational (Intelligent) Fuzzing Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

Question 25

3.4 Interface Testing
Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all the development efforts are complete.

Three types of interfaces should be tested during the software testing process:

• Application Programming Interfaces (APIs) Offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test APIs to ensure that they enforce all security requirements.
• User Interfaces (UIs) Examples include graphical user interfaces (GUIs) and command-line interfaces. UIs provide end users with the ability to interact with the software. Interface tests should include reviews of all user interfaces to verify that they function properly.
• Physical Interfaces Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if they fail.

Question 26

3.5 Misuse Case Testing
Software testers use a process known as misuse case testing or abuse case testing to evaluate the vulnerability of their software to these known risks. In misuse case testing, testers first enumerate the known misuse cases. They then attempt to exploit those use cases with manual and/or automated attack techniques.

Question 27

3.6 Test Coverage Analysis
Software testing professionals often conduct a test coverage analysis to estimate the degree of testing conducted against the new software.
An illustration of the formula for Test Coverage which is equal to number of use cases tested divided by number of use cases tested.
The test coverage analysis formula may be adapted to use many different criteria. Here are five common criteria:

• Branch coverage: Has every if statement been executed under all if and else conditions?
• Condition coverage: Has every logical test in the code been executed under all sets of inputs?
• Function coverage: Has every function in the code been called and returned results?
• Loop coverage: Has every loop in the code been executed under conditions that cause code execution multiple times, only once, and not at all?
• Statement coverage: Has every line of code been executed during the test?

Answer 27

Формула анализа тестового покрытия может быть адаптирована для использования множества различных критериев. Вот пять общих критериев: Охват ветвей: выполнялся ли каждый оператор if при всех условиях if и else? Покрытие условий: был ли выполнен каждый логический тест в коде для всех наборов входных данных? Покрытие функций: каждая ли функция в коде была вызвана и вернула результаты? Покрытие циклов: каждый ли цикл в коде выполнялся в условиях, которые вызывают многократное выполнение кода, только один раз и ни разу? Покрытие операторов: была ли выполнена каждая строка кода во время теста?

Question 28

4. Website Monitoring
   This type of monitoring comes in two different forms:

• Passive monitoring analyzes actual network traffic sent to a website by capturing it as it travels over the network or reaches the server. This provides real-world monitoring data that gives administrators insight into what is actually happening on a network. Real user monitoring (RUM) is a variant of passive monitoring where the monitoring tool reassembles the activity of individual users to track their interaction with a website.
• Synthetic monitoring (or active monitoring) performs artificial transactions against a website to assess performance. This may be as simple as requesting a page from the site to determine the response time, or it may execute a complex script designed to identify the results of a transaction.

Question 29

4. Implementing Security Management Processes
   In addition to performing assessments and testing, sound information security programs also include a variety of management processes designed to oversee the effective operation of the information security program.
   The security management reviews that fill this need include log reviews, account management, backup verification, and key performance and risk indicators. Each of these reviews should follow a standardized process that includes management approval at the completion of the review.

Answer 29

Помимо проведения оценок и испытаний, надежные программы информационной безопасности также включают в себя различные процессы управления, предназначенные для наблюдения за эффективной работой программы информационной безопасности.
Проверки управления безопасностью, которые удовлетворяют эту потребность, включают проверку журналов, управление учетными записями, проверку резервных копий, а также ключевые показатели производительности и рисков. Каждая из этих проверок должна следовать стандартизированному процессу, который включает в себя одобрение руководства по завершении проверки.

Question 30

4.1 Log Reviews
Security information and event management (SIEM) packages play an important role in these processes, automating much of the routine work of log review.
Logging systems should also make use of the Network Time Protocol (NTP) to ensure that clocks are synchronized on systems sending log entries to the SIEM as well as the SIEM itself.
Information security managers should also periodically conduct log reviews, particularly for sensitive functions, to ensure that privileged users are not abusing their privileges.

Question 31

4.2 Account Management
One way to perform account management is to conduct a full review of all accounts. This is typically done only for highly privileged accounts because of the amount of time consumed. The exact process may vary from organization to organization, but here’s one example:

Managers ask system administrators to provide a list of users with privileged access and the privileged access rights. They may monitor the administrator as they retrieve this list to avoid tampering.
Managers ask the privilege approval authority to provide a list of authorized users and the privileges they should be assigned.
The managers then compare the two lists to ensure that only authorized users retain access to the system and that the access of each user does not exceed their authorization.

This process may include many other checks, such as verifying that terminated users do not retain access to the system, checking the paper trail for specific accounts, or other tasks.

Question 32

4.3 Disaster Recovery and Business Continuity
Chapter 3, “Business Continuity Planning,”
Chapter 18, “Disaster Recovery Planning,”
Consistent backup programs are an extremely important component of these efforts. Managers should periodically inspect the results of backups to verify that the process functions effectively and meets the organization’s data protection needs.
Regular testing of disaster recovery and business continuity controls provides organizations with the assurance that they are effectively protected against disruptions to business operations.

Question 32

4.5 Training and Awareness
Training and awareness programs play a crucial role in preparing an organization’s workforce to support information security programs. These efforts educate employees about current threats and advise them on best practices for protecting information and systems under their care from attack.
Recurring training and awareness efforts should take place throughout the year, reminding employees of their responsibilities and updating them on changes to the organization’s operating environment and the threat landscape.

Many organizations use phishing simulations to evaluate the effectiveness of their security awareness programs. These simulations use fake phishing messages to determine whether users are susceptible to phishing attacks.

Question 32

4.6 Key Performance and Risk Indicators
Security managers should also monitor key performance and risk indicators on an ongoing basis. The exact metrics they monitor will vary from organization to organization but may include the following:

Number of open vulnerabilities
Time to resolve vulnerabilities
Vulnerability/defect recurrence
Number of compromised accounts
Number of software flaws detected in preproduction scanning
Repeat audit findings
User attempts to visit known malicious sites

Once an organization identifies the key security metrics it wishes to track, managers may want to develop a dashboard that clearly displays the values of these metrics over time and display it where both managers and the security team will regularly see it, such as on an intranet.