Domain 6: Security

Assessment and Testing

Domain 6: Overview
Security assessment and testing involves:
• The evaluation of information assets and associated infrastructure
• Using various tools and techniques for the purposes of identifying and
mitigating risk
• Due to architectural issues, design flaws, configuration errors,
hardware and software vulnerabilities, coding errors, and any other
weaknesses
Domain 6: Overview
CISSP candidate :
• Should be capable of validating assessment and test strategies and of
carrying out those strategies using various techniques.
• Will be tested on vulnerability assessments, penetration testing,
synthetic transactions, code review and testing, misuse case, and
interface testing.
Domain 6: Security Assessment and Testing
• Assessing Access Control
• Software Testing Methods

Unique Terms & Definitions:

• Dynamic Testing – Tests code while executing it
• Fuzzing – A type of black box testing that submits random, malformed data as inputs
into software programs to determine if they will crash
• Penetration Testing – Authorized attempt to break into an organization’s physical or
electronic perimeter (and sometimes both)
• Static Testing – Tests code passively: the code is not running.
• Synthetic Transactions – Also called synthetic monitoring: involves building scripts or
tools that simulate activities normally performed in an application
Domain 6: Security Assessment and Testing
Penetration Testing - Black Hats and White Hats
• Black hat attackers are malicious hackers, sometimes called crackers.
• “Black” derives from villains in fiction: Darth Vader wore all black
• Lack ethics, sometimes violate laws, and break into computer systems with malicious intent, and may violate the
confidentiality, integrity, or availability of organization’s systems and data
• White hat hackers are the “good guys”
• Professional penetration testers who break into systems with permission
• Malware researches who research malicious code to provide better understanding and ethically disclose vulnerabilities
to vendors, etc.
• Also known as ethical hackers; they follow a code of ethics and obey laws
• Gray hat hackers fall somewhere between black and white hats
• Exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the
owners
• Unlike a black hat, a gray hat acts without malicious intent
• The goal of a gray hat is to improve system and network security
Domain 6: Security Assessment and Testing
Penetration Testing
• A penetration tester is a white hat hacker who receives authorization to attempt to break into an
organization’s physical or electronic perimeter (and sometimes both)
• Penetration tests (called “pen tests” for short) are designed to determine whether black hat hackers
could do the same
• A narrow test
• Penetration tests may include the following tests:
• Network (Internet)
• Network (internal or DMZ)
• Wardialing
• Wireless
• Physical (attempt to gain entrance into a facility or room)
• Wireless
• Network attacks may leverage client-side attacks, server-side attacks, or Web application attacks
Domain 6: Security Assessment and Testing
Penetration Testing
• War dialing uses modem to dial a series of phone numbers, looking for an answering
modem carrier tone (the penetration tester then attempts to access the answering
system); the name derives from the 1983 movie WarGames
• Social engineering uses the human mind to bypass security controls
• May be used in combination with many types of attacks, especially client-side attacks or physical tests
• An example of a social engineering attack combined with a client-side attack is emailing malware with a
Subject line of “Category 5 Hurricane is about to hit Florida!”
• A physical social engineering attack (used to tailgate an authorized user into a building)
Domain 6: Security Assessment and Testing
Penetration Testing
• A zero-knowledge (also called black box) test is “blind”; the penetration tester begins
with no external or trusted information, and begins the attack with public
information only
• A full-knowledge test (also called crystal-box) provides internal information to the
penetration tester, including network diagrams, policies and procedures, and
sometimes reports from previous penetration testers
• Partial-knowledge tests are in between zero and full knowledge: the penetration
tester receives some limited trusted information
• Most penetration tests have a scope that includes a limitation on the time spent
conducting the test
Domain 6: Security Assessment and Testing
Penetration Testing Tools and Methodology
• Penetration testing tools:
• Open source Metasploit (http://www.metasploit.org)
• Closed source Core Impact (http://www.coresecurity.com)
and Immunity Canvas (http://www.immunitysec.com)
• Top 125 Network Security Tools (http://sectools.org/)
• Custom tools
Domain 6: Security Assessment and Testing
Penetration Testing Tools and Methodology
• Penetration testers use the following methodology:

• Black hat hackers typically follow a similar methodology

• Black hats will also cover their tracks (erase logs and other signs of
intrusion), and frequently violate system integrity by installing back
doors (in order to maintain access)
Domain 6: Security Assessment and Testing
Domain 6: Security Assessment and Testing
Assuring Confidentiality, Data Integrity, and System Integrity
• Penetration testers must ensure the confidentiality of any sensitive data that
is accessed during the test
• Testers will often request that a dummy file containing no regulated or
sensitive data (sometimes called a flag) be placed in the same area of the
system as the credit card data, and protected with the same permissions
• If the tester can read and/or write to that file, then they prove they could
have done the same to the credit card data
• Penetration testers must be sure to ensure the system integrity and data
integrity of their client’s systems
• The risk of encountering signs of a previous or current successful malicious
attack (discuss this before starting a test)
Domain 6: Security Assessment and Testing
Vulnerability Testing
• Vulnerability scanning (also called vulnerability testing) scans a
network or system for a list of predefined vulnerabilities such as
system misconfiguration, outdated software, or a lack of patching
• Nessus (http://www.nessus.org), OpenVAS
(http://www.openvas.org), Qualys, and Rapid 7/Nexpose
• Missing patches and configuration errors
• Common Vulnerability Scoring System (CVSS) -
https://nvd.nist.gov/cvss.cfm
Domain 6: Security Assessment and Testing
Log Review
• A log review is the examination of system log files to detect
security events or to verify the effectiveness of security
controls.
• Need to constantly tune your systems in response to the
ever-changing threat landscape.
• Standardizing and synchronizing log time: NTP
• SIEM: enable the centralization, correlation, analysis, and
retention of event data in order to generate automated alerts
Domain 6: Security Assessment and Testing
Log Review - Preventing Log Tampering
• Remote logging
• Simplex communication
• Replication
• Write-once media
• Cryptographic hash chaining
Domain 6
Domain 6: Security Assessment and Testing
Security Audits
• Testing against a published standard
• PCI-DSS compliance
• SSAE SOC 2, Type 1 and SOC 2, Type 2
• Purpose is to validate/verify that an organization meets the
requirements as stated in the published standard
Domain 6: Security Assessment and Testing
Security Assessments
• A holistic approach to assessing the effectiveness of access control
• Broad scope
• Security assessments view many controls across multiple domains, and may
include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits
Domain 6: Security Assessment and Testing
Security Assessments
• Key words… “assessing the effectiveness”
• Where there are gaps in control (weakness/vulnerability), what
are the applicable threats?
• Vulnerabilities + Threats = Likelihoods & Impacts = RISK
Domain 6: Security Assessment and Testing
Internal and 3rd-Party Audits
• Internal audit
• Structured audits – external audience, validate compliance, etc.
• Unstructured audits – internal audience, improve security, etc.
• 3rd-Party audits
• Experts (hopefully)
• Adds credibility
• Teach
Domain 6: Security Assessment and Testing
Security Audit Logs
• According to “Five mistakes of Log Analysis” by Anton Chuvakin (see
http://www.computerworld.com/s/article/96587/Five_mistakes_of_lo
g_analysis), audit record management typically faces five distinct
problems:
• Log are not reviewed on a regular and timely basis.
• Audit logs and audit trails are not stored for a long enough time period.
• Logs are not standardized or viewable by correlation toolsets—they are only
viewable from the system being audited.
• Log entries and alerts are not prioritized.
• Audit records are only reviewed for the “bad stuff.”
Domain 6: Security Assessment and Testing
Security Audit Logs
• Reviewing security audit logs within an IT system is one of the easiest ways to verify that
access control mechanisms are performing adequately
• Reviewing audit logs is primarily a detective control
• According to NIST Special Publication 800-92 (http://csrc.nist.gov/publications/nistpubs/800-
92/SP800-92.pdf), the following log types should be collected:
• Network Security Software/Hardware:
• Antivirus logs
• IDS/IPS logs
• Remote Access Software (such as VPN logs)
• Web proxy
• Vulnerability management
• Authentication servers
• Routers and firewalls
Domain 6: Security Assessment and Testing
Security Audit Logs
• According to NIST Special Publication 800-92
(http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf), the
following log types should be collected:
• Operating System:
• System events
• Audit records
• Applications
• Client requests and server responses
• Usage information
• Significant operational actions
Domain 6: Security Assessment and Testing
Security Audit Logs – Centralized Logging
• Assists in log retention (sufficient for legal/regulatory compliance
and investigation)
• Assists in log protection (integrity & availability)
• SIEM
• Log protection
• Log aggregation
• Log correlation
• Dashboard reporting
Domain 6: Security Assessment and Testing
Software Testing Methods
• Static testing tests the code passively: the code is not running. This includes walkthroughs,
syntax checking, and code reviews.
• Dynamic testing tests the code while executing it.
• White box software testing gives the tester access to program source code, data structures,
variables, etc.
• Black box testing gives the tester no internal details: the software is treated as a black box that
receives inputs.
• Traceability Matrix (sometimes called a Requirements Traceability Matrix, or RTM) can be used
to map customer’s requirements to the software testing plan: it “traces” the “requirements,”
and ensures that they are being met.
• Fuzzing (also called fuzz testing) is a type of black box testing that enters random, malformed
data as inputs into software programs to determine if they will crash.
• Combinatorial software testing is a black-box testing method that seeks to identify and test all
unique combinations of software inputs.
Domain 6: Security Assessment and Testing
Software Testing Methods
• Static testing tests the code passively: the code is not running. This
includes walkthroughs, syntax checking, and code reviews.
• analysis of computer software that is performed without actually
executing programs
• In most cases the analysis is performed on some version of the source
code, and in the other cases, some form of the object code
• List of tools for static code analysis
(https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis)
Domain 6: Security
Assessment and
Testing
Software Testing
Methods
• Traceability Matrix
(or Requirements
Traceability Matrix
or RTM)
Domain 6: Security Assessment and Testing
Software Testing Levels
• Unit Testing: Low-level tests of software components, such as
functions, procedures or objects
• Installation Testing: Testing software as it is installed and first operated
• Integration Testing: Testing multiple software components as they are
combined into a working system. Subsets may be tested, or Big Bang
integration testing tests all integrated software components
• Regression Testing: Testing software after updates, modifications, or
patches
• Acceptance Testing: testing to ensure the software meets the
customer’s operational requirements. When this testing is done
directly by the customer, it is called User Acceptance Testing.
Domain 6: Security Assessment and Testing
Fuzzing
• Black box testing that enters random, malformed data as inputs into
software programs to determine if they will crash.
• Typical causes are boundary checking issues, leading to possible buffer
overflows
• Typically automated, repeatedly presenting random input strings as
command line switches, environment variables, and program inputs
attack
• List of good fuzzers; http://sectools.org/tag/fuzzers/.
• Burp Suite https://portswigger.net/burp/
Domain 6: Security Assessment and Testing
Other Software Testing Terms
• Misuse Case Testing - derived from and is the inverse of use case testing;
describes the process of executing a malicious act against a system, while use
case can be used to describe any action taken by the system
Domain 6: Security Assessment and Testing
Auditing Administrative Controls
• Account Management – Hackers compromise a normal account,
then try to become privileged users by:
• Attacking privileged credential
• Creating privileged credential
• Evelating to privileged credential
Account Management Controls are to mitigate these attacks: both
technical and administrative
Domain 6: Security Assessment and Testing
Auditing Administrative Controls
• Backup Verification – need to periodically test to ensure that the backups will
work when needed
Domain 6: Security Assessment and Testing
Other Software Testing Terms
• Test Coverage Analysis - Test or code coverage analysis attempts to identify
the degree to which code testing applies to the entire application. The goal is
to ensure that there are no significant gaps where a lack of testing could
allow for bugs or security issues to be present that otherwise should have
been discovered.
• Interface Testing – testing of all interfaces exposed by the application. From a
security-oriented vantage point, the goal is to ensure that security is
uniformly applied across the various interfaces. This type of testing exercises
the various attack vectors an adversary could leverage.
• Combinatorial software testing - a black-box testing method that seeks to
identify and test all unique combinations of software inputs.
Domain 6: Security Assessment and Testing
Ending…
Domain 6: Security Assessment and Testing
Thank you!