Security Assessment & Testing Flashcards
Security Assessment and Testing Objectives
Audits Vulnerability Assessments Penetration Testing Log Reviews Intrusion Detection and Prevention Host-based IDS Network-based IDS Analysis Engines
InfoSec Audit Process
Objectives of the audit:
- provide actionable information to Senior Management
- involve the correct business unit leaders to ensure the needs of the business are identified and addressed
- determine the scope (not everything can be tested)
- choose the audit team (internal & external) dependent on goals, scope, budget and available expertise
- plan the audit to ensure all goals are met on time and on budget
- conduct the audit while sticking to the plan and documenting any deviations
- document the results
- communicate the results to the right leaders to drive change as needed
Internal Auditors
Pros:
- cheaper
- auditors are familiar with inner workings of the company
- allows the organization to be more agile in its assessment efforts
Cons:
- limited exposure to other approaches to both securing and exploiting information systems
- potential conflict of interest
External Auditors
Pros:
- experience testing other organizations
- unaware of the internal dynamics and politics of the target organization
Cons:
- cost
Note: signing a nondisclosure agreement is almost always a pre-req before a external team is permitted to audit an org’s systems
SOC Reports
Service Organizational Control documents
Service Organizations are replacing traditional in-house functions (e.g. payroll, medical claims, HR, document, workflow and tax processing)
SOC for Service Organizations help service providers build trust and confidence in their services and controls
SOC 1: financial controls
SOC 2 & 3: trust services (security, availability, confidentiality, process integrity and privacy) - for existing customers with private information
SOC 3: gives you the most assurance because it is publicly available
Vulnerability Assessments
A passive evaluation of security posture and determines if known weaknesses exist
Audits measure degree of compliance. Assessments look for known flaws (unauthorized hosts, vulnerable services, weak passwords, default or misconfigured settings)
Assessors do not correct problems, the assess and report
Vulnerability assessments should only be conducted with senior management’s approval in writing
Types:
1. Personnel testing: includes reviewing employee tasks and identifying vulnerabilities in the standard practices and procedures
- Physical testing: review of facility and perimeter protection mechanisms -e.g. does an alarm sound if a door is held open too long?
- System and network testing: automated scanning product identifies known system vulnerabilities
Vulnerability Scans
Footprint the network
Objective: probe systems, applications and networks to look for any weaknesses that may be exploited by an attacker
Discovery, vulnerability
Network Discovery Scans
Fingerprint the Operating System
Scan a range of IP addresses, searching for systems with open network ports (Nmap commonly used) and noting down which systems use what e.g. Kerberos, DNS (most desirable)
TCP SYN Scanning: sends a single packet to each scanned port with the SYN flag set
TCP Connect Scanning: opens a full connection to the remote system on the specified port
TCP ACK Scanning: sends a packet with the ACK flag set, indicating that it is a part of an open connection
Xmas/Xmas Tree scanning: sends a packet with the FIN, PSH and URG flags set to 1
NMAP
A tool used for network discovery scanning, and provides a good amount of information
STUDY THIS MORE!!!!
Web Application Assessments
Web vulnerability scanning tools provide focused testing for web applications
Objective:
- scan all applications when you begin performing web vulnerability scanning for the first time. This will detect issues with legacy applications
- scan any new application before moving it into a production environment for the first time
- scan any modified application before the code changes move into production
- scan all applications on a recurring basis
- fuzzing is the term for testing applications for lack of input validation and other known flaws
Biggest concern: code injection; so much ensure nothing malicious comes in by scanning making sure proper input validation in place - people aren’t able to enter in information that could hurt the backend system
Penetration Testing
Penetration Testing is an active, potentially intrusive process of stimulating attacks on a network
- uses a set of procedures and tools designed to test and possibly bypass the security controls of a system
- the goal is to measure an organization’s level of resistance to an attack and to uncover any weaknesses within the environment
- it emulates the same methods attackers would use
- it should only be conducted with senior management’s approval in writing
Three Basic Requirements:
- meet with senior executive leadership to determine the goal of the assessment
- document rules of engagement
- get sign off from senior management
Rules of Engagement
- specific IP addresses/ranges to be tested along with any restricted hosts
- a list of acceptable testing techniques
- times when testing is to be conducted
- points of contact for the pentest team, the targeted systems and networks
- measures to prevent law enforcement being called with false alarms
- handling of information collected by pentest team
Penetration Testing Steps
- footprinting and gathering information about the target
- enumeration: performing port scans and resource identification methods
- vulnerability mapping: identifying vulnerabilities in identified systems and resources
- exploitation: attempting to gain unauthorized access by exploiting vulnerabilities
- report to management: delivering to management documentation of test findings along with suggested countermeasures
Degrees of Knowledge
Zero Knowledge: the team does not have any knowledge of the target and must start from ground zero
Partial knowledge: the team has some information about the target
Full knowledge: the team has intimate knowledge of the target
Blind test: assessors have only publicly available data to work with. The network security staff is is aware that this type of test will take place.
Double-blind: blind test to the assessors and network security staff is not notified.
Targeted tests: focused tests on specific areas of interest. For example, before a new application is rolled out, the team might test it for vulnerabilities before installing it into production
Log Reviews
Examination of system log files to detect security events or to verify the effectiveness of security controls
Ensure that time is standardized across all networked devices. The Network Time Protocol (NTP) version 4, described in RFC 5905, is the industry standard for synchronizing computer clocks between networked devices
By default, the most log files are stored locally on the corresponding device. The challenge with this approach is that it makes it more difficult to correlate events across devices to a given incident