Security Assessment and Testing Flashcards
Three Major Components of a Security Assessment Program
- Security tests
- Security assessments
- Security audits
Security tests
Security tests verify that a control is functioning properly - automated scans, tool-assisted penetration tests, and manual tests to undermine security. It should take place on a regular schedule with attention paid to the security controls protecting the organization
Security Assessments
Security assessments are comprehensive reviews of the security of a system, application or other tested environment. A risk assessment is performed and recommendations for remediation are made.
An assessment report is addressed to management that contains the results of the assessment in non-technical language
Security Audits
Security audits is similar to a security assessment but must be performed by independent auditors. Audits are performed to demonstrate the effectiveness of controls to a third-party
Auditors provide an impartial, unbiased view of the state of security controls
Three main types of audit:
1. internal: completed by internal audit and reporting line is independent of the function they evaluate. Usually reports to CIO and governing board.
- external: performed by an outside firm
- third-party: conducted by, or on behalf of, another organization e.g. a regulatory body
- Type I: a description of the controls provided by the organizations with the auditor’s opinion based on the description
- Type II: cover a minimum six-month time period and also include an opinion by the auditor and considered much more reliable because the controls are tested independently,
Security Content Automation Protocol (SCAP)
Provided by NIST, a common framework for discussion and automation between different systems
- Common Vulnerabilities and Exposure (CVE) a naming system for describing security vulnerabilities.
- Common Vulnerability Scoring System (CVSS) a standardized scoring system for describing the severity of security vulnerabilities
- Common Configuration Enumeration: (CCE): a naming system for system configuration issues.
- Common Platform Enumeration (CPE): a naming system for operating systems, applications, and devices
- Extensible Configuration Checklist (XCCDF): a language for specifying security checklists
- Open Vulnerability and Assessment Language (OVAL): a language for describing security testing procedures
Vulnerability Scans
Vulnerability scans automatically probe systems, applications and networks looking for weaknesses that may be exploited by an attacker - point and click scans that don’t require manual intervention.
Four main categories of vulnerability scans:
- Network Discovery scans
- Network Vulnerability Scans
- Database Vulnerability Scans
Network Discovery Scanning
Network discovery scans scan a range of IP addresses, searching for systems with open network ports that are exposed through the network and server firewalls that lie on the network path and between the scanner and scanned system.
TCP SYN Scanning: AKA half open scanning, it sends a single packet to each scanned port with a SYN flas set, which indicates a request to open a new connection. If the response has a SYN and ACK flags set, this indicates the system is moving to the second phase in the 3-way TCP handshake and the port is OPEN.
TCP Connect Scanning: opens a full connection to the remote system on the specified port - it is used when the user running the scan does not have the necessary permissions to run a half-open scan. Most other scan types of scans only have the ability to send raw packets, and user scanner may not be able to send handcrafted packets????
TCP ACK Scanning: Sends a packet with the ACK flag set, indicating that it is part of the open connection. This type of scan can determine the rules enforced by a firewall and firewall methodology.
XMAS Scanning: send a packet with FIN, PSH, and URG flags set
Nmap: the most common tool used for network discovery scanning and is an open-source tool from 1997. (more detail in another flashcard)
Nmap
When nmap scans a system, it identifies the current state if each network port it detects on that system:
Open: port is open on the remote system and there is an application that is actively accepting connections on that port.
Closed: port is accessible on the remote system, meaning the firewall is allowing access but there is no application accepting connections on that port
Filtered: nmap is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt
Common Network Ports
22/tcp open ssh: used to allow administrative connections to servers
80/tcp open http: indicates the system is accepting connection requests on port 80 which is used by Hypertext Transfer Protocol to deliver web pages
443/tcp closed https: indicates a firewall rule exists to allow access to port 443 but no service is listening on that port. Port 443 is used by HTTPS protocol to accept encrypted web server connections
Results: the system being scanned is probably a web server that is openly accepting connection requests from the scanned system - the firewalls between the scanner and system are configured to allow both secure (443) and insecure (80) connections, but the server is not set up to actually perform encrypted transactions
From an attacker’s perspective: by pointing a browser at the server, one can get a good idea of what the server does and who operates it
- connections to this server are unencrypted and eavesdropping on those connections, if possible, may reveal sensitive info
- the open SSH is interesting and can perform brute force password attack against admin accounts on that port to gain access to that system.
Network Vulnerability Scanning
Deeper than discovery scans, these scans probe deeper to the known vulnerabilities.
By default, they run authenticated, but to reduce the amount of false positives and negatives, they will run authenticated scans
Web Vulnerability Scanning
Important because they may not be picked up by network vuln scans.
Recommended to run:
- when you first implement web vuln scanning to detect any issues with legacy applications
- when you have new applications before the code changes move into production
- scan all applications on a recurring basis - may have to schedule this based on the priority of the application when resources are limited. It is sometimes required by compliance requirements
Database Vulnerability Scanning
scans that scan both databases and web applications for vulnerabilities that may affect database security
sql-map is commonly used open-source database vulnerability scanner that allows security admins to probe web applications for database vulnerabilities
Vulnerability Management Workflow
- Detection: the initial identification of a vulnerability normally takes place as the result of a vulnerability scan
- Validation: once a scanner detects and vulnerability, admins should confirm the vulnerability, to determine that it is not a false positive report
- Remediation: validated vulnerabilities should then be remediated. This may include vendor security patch, modifying a device configuration, implementing a workaround to avoid vulnerability, or installing a web application firewall or other control that prevents the exploitation of the vulnerability
Penetration Testing Phases
Planning: agreement upon scope of the test and the rules of engagement EXTREMELY IMPORTANT STEP to ensure both testing and management teams are in agreement with the tests
Information Gathering and Discovery: manual and automated tools to collect information about the target environment. Basic reconnaissance to determine system function such as visiting websites hosted on the system and conducting network discovery scans to identify open ports
Vulnerability Scanning: probes for system weaknesses using network vulnerability scans, web vulnerability scans and database vulnerability scans
Exploitation: seeks to use manual and automated exploit tools to attempt to defeat system security
Reporting: summarized the results of the penetration testing and makes recommendations for improvements to systems security
Metasploit is the commonly used tools which auto-executes exploits against targeted systems - uses scripting language to allow the automatic execution of common attacks
Hazards:
- time-consuming
- requires specialized resources
- may disrupt system access
- may corrupt data in stored systems
Industry Standard Testing Methodologies - OWASP testing guide - OSSTMM - NIST 800-115 - FedRAMP Penetration Test Guidance PCI-DSS Information Supplement on Penetration Testing as references
Types of Penetration Tests
White Box Penetration Test: provides the attackers with detailed information about the systems they target. This bypasses many of the reconn steps that normally precede the attacks, shortening the time of the attack and increasing the likelihood that it will find the security flaws
Gray Box Penetration Test: AKA partial-knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of white and black box penetration tests. This is particularly common when black box results are desired by costs or time constraints mean that some knowledge is needed to complete the testing.
Black Box Penetration Test: This does not provide attackers with any information prior to the attack. This stimulates an external attacker trying to gain access to information about the business and technical environment before engaging an attack.
