Security Testing

Question 1

Explain what a vulnerability is?

Answer 1

A characteristic or property of a system that can be exploited, to access functionality, information or resources that should not be available.

Question 2

Explain what a threat is?

Answer 2

Some possible danger that could lead to a vulnerability being exploited.

Question 3

Explain what a risk is?

Answer 3

The impacts to an organization that arise due to threats.

Question 4

Define the term Security Testing

Answer 4

Identifying vulnerabilities and ensuring mitigation of risks and threats.

Building trust in critical infrastructures.

Building on past experience of others.

• Libraries of attacks and exploits.
• Historical records of what has worked.

Using a variety of techniques. From testing through to audit. To provide defense in depth.

Question 5

Why is mobile and web security so important for organizations?

Answer 5

Many attack vectors.

Many devices, not always up to date.

Powerful capabilities on the device.

Significant integration with cloud/servers.

Question 6

What are some potential countermeasures of an organization to protect mobile and web systems?

Answer 6

Protections at OS and browser level.

Protection in communication protocols.

Resource monitoring, network monitoring

Manufacturer surveillance.

User awareness. Security training.

Question 7

What are some features of Android OS that provide some security

Answer 7

Unix file directory and permission model

Process memory isolation and memory protection

Filesystem encryption.

App restrictions

digital rights.

Question 8

What are Signed Apps?

Answer 8

Coded with a private dev key. On android and iPhone apps must be signed in market.

Manual approval reduces chances of rogue apps.

Apps bought on official stores are generally thought to have been audited.

Question 9

What are some problems with android regarding apps?

Answer 9

Apps can ask for too many permissions, that the user may inadvertently approve or not understand

Updates to apps may change permissions.

Spammy apps, resist install, show ads like system/OS UI… etc.

Question 10

Define Security through Obscurity?

Answer 10

Relying on the fact that attackers don’t know something needed to harm you.

If you had a file with all the passwords of a system but the attackers do not know it is there.

Example: guessing common file/folder/commands to see what happens.

Question 11

Define methods of Secure authentication

Answer 11

Force users to login to your system before performing sensitive actions.

User secure protocols (https…) to prevent sniffing

Force users to use strong passwords.

Question 12

Define Principle of Least Privilege?

Answer 12

Granting just enough authority to get the job done, not more! ex: don’t run code as root unless really necessary.

Turn off unnecessary services on your server:

• SSH, VNC, sendmail…
• Close all ports except 80, and any others needed for web traffic.

Question 13

How do you sanitize inputs?

Answer 13

Encoding and filtering untrusted user input before accepting it into a trusted system.

Encode/sanitize input text that is displayed back to the user.

• Check type, format, length
• Disallow entry bad data into a graphical form
• Remove any SQL code from submitted user names.

Question 14

How can you help make sure the code you are writing is secure?

Answer 14

Before coding:
- Consider security in design.

While coding:

• Code reviews
• Security audits
• pair programming

After code is written:

• Walkthroughs
• System security audits
• System/functional security testing
• Penetration tests.

Question 15

What is a Security Audit

Answer 15

Series of checks and questions to assess the security of your system.

• Can be done externally or internally.
• Best if done as a process, not individual event.

Question 16

What is a penetration test?

Answer 16

Targetted white hat attempt to compromise your system’s security.

Question 17

What is risk analysis?

Answer 17

Assessment of relative risks of what can go wrong if security is compromised.

Question 18

Define OWASP top 10 issues for mobile apps that talk to web apps

Answer 18

1. Identify and protect sensitive data on the mobile device.
2. Handle password credentials securely on device
3. Ensure data is protected in transit.
4. Implement user authentication and session management properly
5. Keep back end APIs (services) and platform (server) secure.
6. Data integration with third party apps securely.
7. Pay attention to collection and storage of consent for collection and use of user data.
8. Implement controls to prevent unauthorized access to paid-for resources.
9. Ensure distribution/provisioning of mobile apps.
10. Check runtime interpretation of code for errors.

Question 19

What is a man in the middle attack?

Answer 19

Unauthorized third party can hear web traffic on its hops between client and server.

Should use HTTPS secure protocol built on Secure Socket Layer (SSL)

Question 20

What is a denial of service attack?

Answer 20

Attacker causes web server to be unavailable.

How:

• Frequent requests many pages from a web site. (DDOS would use multiple systems for this).
• Server cannot handle so may requests at a time, so it meltsdown (or becomes slow)

Problems arise:

• Users cannot get to your site.
• loss in revenue
• Server may crash and corrupt data
• All the bandwith may cost you a lot.

Question 21

What is packet sniffing?

Answer 21

Listening to traffic sent on a network.

• Many protocols (http, aim, email) are unsecure to this.
• If an attacker is on the same (LAN) as you. he can;
  1. read your emails/IMs as you send them
  2. See what pages you view.
  3. Grab your password as it’s being sent.

What can you do:

• encrypt
• Use secure protocols (SSH, HTTPS)

Question 22

What is password cracking?

Answer 22

Guessing the password of privileged users of your system

Brute force: Attacker sequentially tries every possible password.
Dictionary: uses software that sequentially tries passwords based on words in a file (dictionary)

What can you do?

• force users to have secure passwords.
• Block IPs from logging in after N failed attempts.

Question 23

What is Phishing?

Answer 23

Masquerading mails or web sites. Related to Social Engineering: Attempting to manipulate others to fraudulently acquire passwords or other sensitive information.

• If trusted users are compromised, attackers can login as those users and compromise your entire system.

Question 24

How can one gain elevated privileges?

Answer 24

A flaw in your system allows an attacker to gain elevated permissions and wreak havoc

Question 25

What is cross site scripting? (XSS)

Answer 25

One person’s script code is executed when a user browses another site.

How:

• Attacker finds unsecure code on target site
• Attacker uses hole to inject javascript into page
• User visits page, sees malicious script code

Question 26

What is SQL injection?

Answer 26

Causing undesired SQL queries to be run on your database

• Often when untrusted input is pasted into a query.
  ex: Specify a user name, and you actually use a piece of SQL code.

Question 27

What can you do by viewing source?

Answer 27

Look for:

• HTML Comments
• Script code
• Other sensitive information: IP/email addresses, SQL queries, hidden fields.

watch http requests/responses
- Look for hidden pages, files, parameters to target.

Error messages sent to your browser by application.

Question 28

What is the difference between GET and POST?

Answer 28

Get: parameters contained in the request URL
Post: parameters contained in the HTTP packet header.

Forms provide rich attack environments for this.

Question 29

What is Form Validation?

Answer 29

Examining parameters to make sure they are acceptable before/as they are submitted.
- Non empty, alphabetical, numeric, length.

Client Side: HTML/JS checks values before request sent
Server Side: JSP/Ruby/PHP checks values received.

Some validation is done by restricting a user’s choice.

• event listeners that erase certain key presses
• maxlength attributes.
• select boxes.

Question 30

User Input attacks?

Answer 30

Means bypassing client-side input restrictions and validation.