Domain 6: Security Assessment and Testing Flashcards
Define security testing
Verifies that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security.
Verification
Objective evidence that the design outputs of a phase of the SDLC meet requirements. This may be performed by a third party entity.
Validation
Develop a “level of confidence” that the software meets all requirements and expectations, software improve over time.
Network flow - Logging
Captured to provide insight into network traffic for security, troubleshooting, and performance management.
Audit logging (network)
Provides information about events that have occurred, on routers/other network devices.
NTP
Network Time Protocol.
Why is accurate time important for an environment?
Logs must have accurate time stamps that these time stamps remain consistent throughout the environment. A common method is to set up an internal NTP server that is synchronised to a trusted time source such as a public NTP server. Other systems can then sychronise with this internal NTP server.
Syslog
Message logging standard commonly used by network devices, Linux and Unix systems and other devices (firewalls).
Modified logs are a sign of…
Intrusion or malicious intent.
War driving
Driving a car with a laptop to find open AP’s
IDS
Intrusion Detection Systems.
What are the two types of IDS
- Network Based
2. Host Based
Network Based IDS
Detects intrusions on the LAN behind a firewall. It is a passive device while it acquires data and reviews packets and headers. However, the issue with NIDS is that it will not detect attacks by users logged into hosts.
Host based IDS
Monitors servers through Event and System logs. However, it is only as good as the host logging created. However, it can be easier to discover and disable.
Signature based method (AKA Knowledge based)
Attacks are compared with signature attack database
Statistical anomaly based
Defines a normal behavior and detects abnormal behaviors
Response Box
Is a part of an IDS that initiates an alarm or activity
Response Box Components
Information source/sensor, centralised monitor software, data and event report analysis, database components and response to an event or intrusion
IPS Intrusion Prevention System
Detect attack and PREVENT that attack from being successful
Remote Acces Software
Granted and secured through VPNs
Web Proxies
Form of gateway that provides clients with a filtering, caching, or other service that protects their information from remote systems.
Vulnerability Management System
Such as Nessus, used to enable effective patch management strategy
Authentication Servers
System that facilitates authentication of an entity, such as SSO servers
Routers
Opens up data packet, reads hardware or network address and then forwards it to the correct network.
Firewalls
Network device to analyse the network traffic entering and leaving a network.
Clipping Level
Where companies can set predefined thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious
Audit Trails
A history of audit log events that may include transaction date/time, who processed the transaction, and at which terminal
Breaches
Incident that results in disclosure or potential disclosure of data. It is about breaking the confidentiality of data.
Availability of logs
Archival process to prevent loss by overwritten logs
Log analysis
Study logs for events of interest.
Log size
Set maximum size. If too small, attackers can make little changes and push them out of window
Real User Monitoring
Aims to capture and analyse every transaction of a user
Synthetic Performance Monitoring
Uses scripted or recorded data. Proactive monitoring involves having external agents run scripted transactions against a web application.
Code Review
Foundation of software assessment programs. Other developers review code for defects.
Fagan Inspections
Most formal code review process, which follows a rigorous review and testing process with six steps:
- Planning
- Overview
- Preparation
- Inspection
- Rework
- Follow-up
Code Coverage Report
Information on the functions, statements, branches and conditions covered in testing.
Use cases - test coverage
Used as part of test coverage calculation that divides the tested use case by total use cases.
Code Review Report
Generated if the organisation was manually reviewing the application’s source code
Black box testing
Observes the system’s external behavior, no internal detains known
Dynamic Testing
Does not require access to source code, evaluates code in a runtime environment
White box Testing
Detailed examination of a logical path, checking the possible conditions. Requires access to source code
Static Testing
Requires access to source code, performs code analysis
CVE
Common Vulnerability and Exposures Dictionary. The CVE dictionary provides a standard convention used to identify vulnerabilities, produced by MITRE.
CVSS
Common Vulnerability Scoring System, metrics and calculation tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be remediated, also to score vulnerabilities against unique requirements.
NVD
National Vulnerability DB
Compiled Code
Poses more risk than interpreted code because malicious code can be embedded in the compiled code and can be difficult to detect
Regression Testing
Is the verification that what is being installed does not affect any portion of the application system already installed. It generally requires the support of automated process to repeat tests previously undertaken. Known inputs against an application then compares results to earlier version results
Non Regression Testing
Code works as planned
Code comparison
Normally used to identify the parts of the source code that have changed
Integration Testing
Aimed at finding bugs in the relationship and interfaces between pairs of components. It does not normally test all functions
Attack surface
Exposure
STRIDE: Threat Modelling
Is often used in relation to assessing threats against applications, or OS’s, threat categorisation scheme, spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege
Spoofing
An attack with the goal of gaining access to a target system through the use of falsified identity. Spoofing can be used against IP addresses, MAC address, usernames, system names, wireless network SSIDs, and other types of logical identification.
Tampering
Any action resulting in the unauthorised changes or manipulation of data, whether in transit or in storage. Tampering is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability.
Repudiation
The ability for a user or attacker to deny having performed an activity
Information disclosure
The revelation or distribution of private, confidential, or controlled information to external or unauthorised entities.
Elevation of privilege
An attack where a limited user account is transformed into an account with greater privileges/powers/access.
Examples of Security KPI’s
Number of open vulnerabilities, time to resolve vulnerabilities, number of compromised accounts, number of software flaws detected in pre-production scanning and repeat audit findings, and user attempts to visit known malicious sites.
Vulnerability scans
Automatically probe systems, applications, and networks, looking for weaknesses that may be exploited
Network discovery scanning
Uses a variety of techniques to scan a range of IP addresses, searching for systems with open ports.
TCP SYN Scanning
Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response that has the SYN and ACK flags set, this indicates that the system is moving to the second phase in the three-way TCP handshake and that the port is open. TCP SYN scanning is also known as “half-open” scanning.
TCP Connect Scanning
Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
TCP ACK Scanning
Sends a packet with the ACK flag set, indicating that it is part of an open connection
Xmas Scanning
Sends a packet with the FIN, PSH, and URG flags set. Its like a christmas tree
Passive Scanning
User scans wireless to look for rogue devices in addition to IDS
Authenticated Scans
Read-only account to access config files
Static Testing
Evaluates the security of software without running it by analysing either the source code or the compiled application. Static analysis usually involves the use of automated tools designed to detect common software flaws, such as buffer overflows.
Dynamic Testing
Evaluates the security of software in a runtime environment and is often the only option for organisations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code. One common example of dynamic software testing is the use of web application scanning tools to detect the presence of issues.
Fuzz Testing
Specialised dynamic testing technique that provides many different types of inputs to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities.
Mutation (Dumb) Fuzzing
Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. For example, it might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.
Generational (Intelligent) Fuzzing
Develops inputs based on models of expected inputs to perform the same task. The zzuf tool automates the process of mutation fuzzing by manipulating input according to user specifications.
Misuse Case Testing
Software testers use this process or abuse case testing to evaluate the vulnerability of their software to known risks.
Test Coverage Analysis
Method used to assess how well software testing covered the potential use of an application
Interface Testing
Interface testing includes the hand-offs between separately developed modules. Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete.
Types of Interface Testing
- API Testing
- UI Testing
- Physical Interfaces
API Testing
Testing of APIs to ensure that they enforce all security requirements.
UI Testing
Review GUI to verify that they function properly
Physical Interfaces
Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world.
Unit Testing
Testing small pieces of software during a development stage by developers and QA. This ensures that quality units are furnished for integration into final product
Integration Level Testing
Focus on transfer of data and control across a programs interfaces.
System level testing
Demonstrates that all specified functionality exists and that the software product is trustworthy.
SOC Reports
Service organisation control report.
SOC 1 Report
Covers only internal controls over financial reporting.
SOC 2 Report
Design and OE. This verifies the security, integrity, privacy and availability controls, in detail for business partners and auditors.
SOC 3 Report
Shared with broader community, website seal. Supports organisations claims about their ability to provide CIA.
Type 1: Is a Point in Time covering design
Type 2: Period of time covering design and OE.
Log Management System
Volume of log data, network bandwidth, security of data, and amount of effort to analyse. Not enough log sources
OPSEC process
Understanding your day to day operations from the viewpoint of a competitor, enemy, or hacker and then developing and applying countermeasures.
Penetration Teting
Testing of network security as would a hacker do to find vulnerabilities. Always get management approval first.
Port Scanner
Program that attempts to determine whether any of a range of ports is open on a particular device.
Ring Zero
Inner code of the OS. Reserved for privileged instructions by the OS itself
War dialer
Dials a range of phone numbers as in the movie Wargames
Superzapping
System utility or application that bypasses all access controls and audit/logging functions to make updates to code or data
Operational assurance
Verification that a system is operating according to its security requirements. This includes:
- Design and development reviews
- Formal modeling
- Security architecture
- ISO 9000 quality techniques
Piggybacking
When an unauthorised person goes through a door behind an authorised person
Tailgating
Authorised person circumventing controls
Supervisor mode
Processes running in inner protected ring
