Domain_06: Security Assessment
and Testing
-
Security Management Oversight
-
Log reviews
-
Network Time Protocol (NTP)
- Should synchronize across entire network to have correct
and consistent time in logs and device traffic flows.
- Should synchronize across entire network to have correct
-
Preventing Log Tampering
-
Remote logging
-
Simplex communication
-
Replication
-
Write-once media
-
Cryptographic hash chaining
-
-
-
Account management reviews
-
Account Management
-
Adding Accounts
-
Modifying Accounts
- privilege accumulation
-
Suspending Accounts
-
-
-
Backup verification
-
Types of Data
-
User Data Files
-
Databases
-
Mailbox Data
-
-
Verification
-
• Develop scenarios that capture specific sets of events that are representative of the threats facing the organization.
-
• Develop a plan that tests all the mission-critical data backups in each of the scenarios.
-
• Leverage automation to minimize the effort required by the auditors and ensure tests happen periodically.
-
• Minimize impact on business processes of the data backup test plan so that it can be executed regularly.
-
• Ensure coverage so that every system is tested, though not necessarily in the same test.
-
• Document the results so you know what is working and what needs to be worked on.
-
• Fix or improve any issues you documented.
-
-
-
Key performance and risk indicators
-
KRIs are selected for their impact on the decisions of the senior leaders in the organization
-
Key Performance Indicators
-
terms
-
• Factor
-
• Measurement
-
• Baseline
-
• Metric
-
• Indicator
-
-
process
-
- Choose the factors that can show the state of our security.
-
- Define baselines for some or all of the factors under consideration.
-
- Develop a plan for periodically capturing the values of these factors, and fix the sampling period.
-
- Analyze and interpret the data.
-
- Communicate the indicators to all stakeholders.
-
-
-
-
-
Security Process Data
-
Employment Polices and Practices
- Termination process and background checks
-
Roles and Responsibilities
- Management sets the standard and verbalizes the policy
-
Security Awareness Training
-
Social Engineering
-
Online Safety
-
Data Protection
-
Culture
-
-
-
Security Controls Testing
-
Unit testing
-
Interface testing
-
API Interface
- API Interface is a way for different software programs to communicate with each other
-
User Interface
- User Interface testing focuses on assessing the security of the visual elements that users interact with, such as buttons, menus, and forms.
-
Regression Testing
-
Regression testing is a type of software testing that ensures changes in the code do not affect existing functionalities.
-
It involves re-testing the software after modifications to identify any new bugs or issues that may have been introduced.
-
This type of testing is crucial for maintaining the quality and stability of the software throughout its development lifecycle.
-
-
-
Integration testing
- Integration testing is the phase where individual modules are combined and tested as a group to ensure they work together correctly.
-
System testing
-
Acceptance Testing
-
Acceptance testing is the final phase of testing before the software is released to the customer.
-
It involves executing the software under realistic conditions to ensure that it meets the customer's requirements.
-
Acceptance testing is usually performed by end-users to validate that the software is ready for production use.
-
-
-
Software Development Security Best Practices
-
WASC - Web Application Security Consortium
-
OWASP - Open Web Application Security Project
-
BSI- the Build Security In initiative
-
IEC - The International Electrotechnical Commission
-
-
Website Monitoring
-
Passive Monitoring
-
- It analyses actual network trrafic sent to website by capturing as it travels over the n/w or reach the server - Real User Monitoring (RUM)
-
-
Synthetic Monitoring
- Active monitoring - perform artificial transaction against a website to access performance
-
-
Security Assessments and Testing
-
Vulnerability Assessments
-
Testing stages
-
Reconnaissnace
-
Enumeration
-
Vulnerability Analysis
-
Execution
-
Document Findings
-
-
Testing Techniques
-
Internal Testing
-
External Testing
-
-
Approach
-
Blind testing
-
Double-blind testing
-
-
Knowledge
-
Zero Knowledge (black box)
-
Partial Knowledge (gray box)
-
Full Knowledge (white box)
-
-
Vulnerability Management
-
Vulnerability Scanning
-
Network Discovery Scanning
-
TCP SYN Scanning
-
TCP Connect Scanning
-
TCP ACK Scanning
-
UDP Scanning
-
Xmas Scanning
-
Null Scan
-
FIN Scan
-
-
-
-
Penetration Testing
-
Penetration Testing
-
Process:
-
Penetration Testing
-
Planning
- Scope of test, Mgmt Approval , Jail freecard
-
Information Gathering
- Network Discovery, Scan Enumeration,
-
Vulnerability Scanning
- Network/web Vulnerabilty Scanning
-
Exploitation
-
Reporting
-
-
-
varying degrees of knowledge
-
• Zero knowledge The team does not have any knowledge of the target and must start from ground zero.
-
• Partial knowledge The team has some information about the target.
-
• Full knowledge The team has intimate knowledge of the target.
-
-
-
Penetration tests Strategies
-
War Dialing
- attempts to attack the systems via dialing all the phone numbers in an exchange
-
Sniffing
- passively monitors network traffic for network knowledge, such as passwords.
-
Eavesdropping
- involves listening to phone conversations
-
Dumpster Diving
- btains passwords and corporate directories by searching through discarded media.
-
Social Engineering
-
Radiation monitoring
-
-
Types
-
White-Box Penetration Test
- Provides the attackers with detailed information about the systems they target. This bypasses many of the reconnaissance steps that normally precede attacks, shortening the time of the attack and increasing the likelihood that it will find security flaws. These tests are sometimes called “known environment” tests.
-
Gray-Box Penetration Test
- Also known as partial knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of white-and black-box penetration tests. This is particularly common when black-box results are desired but costs or time constraints mean that some knowledge is needed to complete the testing. These tests are sometimes called “partially known environment” tests.
-
Black-Box Penetration Test
- Does not provide attackers with any information prior to the attack. This simulates an external attacker trying to gain access to information about the business and technical environment before engaging in an attack. These tests are sometimes called “unknown environment” tests.
-
-
Forms of Testing
-
Blind testing
-
Full-knowledge testing
-
Partial-knowledge testing
-
-
Double-blind testing
-
Targeted testing
-
-
Post-Pen Testing
-
-
Software Testing
-
Testing Techniques
-
Methods And Tools
-
Manual testing
-
Automated Testing
-
-
Runtime
-
Static Application Security Testing (SAST)
-
Dynamic Application Security Testing (DAST)
-
Fuzz Testing
-
Fuzzing is a software testing technique where automated tools input random data to find vulnerabilities in a program.
-
Mutation (Dumb) Fuzzing
- Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.
-
Generational (Intelligent) Fuzzing
- Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
-
-
-
Code review
-
Black Box Testing
-
White Box testing
-
-
Test Types
-
Positive testing
-
Negative testing
-
Misuse Case Testing
-
Misuse case testing focuses on evaluating how the system handles intentional misuse or abuse by users.
-
It involves identifying potential attacks, determining the system's vulnerabilities, and testing its ability to withstand malicious actions.
-
By simulating attacks and exploiting weaknesses, misuse case testing helps improve the overall security of the software.
-
-
-
Test Coverage Analysis
-
Criteria for Test Coverage
-
Branch Coverage
- Statement executed under all If and Else condition
-
Condition Coverage
- Has every logic test in the code been executed under all sets of inputs
-
Function Coverage
- Has every functions in the code been called and returned result
-
Loop Coverage
- Has every loop in the code has been executed under condition that cause code execution multiple times, only ince and not at all?
-
Statement Coverage
- Has every line of code been executed during the test
-
-
-
-
-
-
Cloud Service Models
-
Cloud Shared Responsibility Model
-
Software as a Service (SaaS)
-
Platform as a Service (PaaS)
-
Infrastructure as a Service (IaaS)
-
Code as a Service (CaaS)
-
-
Cloud Deployment models
-
Public cloud model
-
Private cloud
-
Community cloud
-
Hybrid cloud
-
Hybrid cloud
-
-
-
Security Audits
-
Information System Security Audit Process
-
- Determine the goals, because everything else hinges on this.
-
- Involve the right business unit leaders to ensure the needs of the business are identified and addressed.3. Determine the scope, because not everything can be tested.
-
- Choose the audit team, which may consist of internal or external personnel, depending on the goals, scope, budget, and available expertise.
-
- Plan the audit to ensure all goals are met on time and on budget.
-
- Conduct the audit while sticking to the plan and documenting any deviations therefrom.
-
- Document the results, because the wealth of information generated is both valuable and volatile.
-
- Communicate the results to the right leaders in order to achieve and sustain a strong security posture.
-
Reporting
-
Analyzing Results
-
Writing Technical Reports
-
key elements of a good technical audit report
-
• Executive Summary
-
• Background
-
• Methodology
-
• Findings
-
• Recommendations
-
• Appendices
-
-
-
-
-
Internal Audits
-
• Mark your calendars
-
• Prepare the auditors
-
• Document everything
-
• Make the report easy to read
-
-
External Audits
-
• Learn the contract
-
• Schedule in- and out-briefs• Travel in pairs
-
• Keep it friendly
-
-
Third-Party Audits
-
Signing a nondisclosure agreement
-
Facilitating Third-Party Audits
-
• Know the requirements
-
• Pre-audit
-
• Lock in schedules
-
• Get organized
-
• Keep the boss informed
-
-
-
-
Verification and Validation
-
Verification Testing
-
Verification Testing is a process of evaluating whether a system or component complies with its specified requirements.
-
It involves checking that the software meets the design specifications and that it works as intended.
-
Verification Testing helps to ensure that the product is being built right and that it is consistent with the requirements.
-
-
Validation Testing
-
Validation Testing is the process of evaluating whether a system or software meets the specified requirements and works as intended.
-
During Validation Testing, the focus is on ensuring that the end product satisfies the user's needs and expectations.
-
This type of testing is essential to confirm that the software or system is ready for use in the real world and delivers the intended functionality.
-
-
-
Service Organization controls (SOC)
-
SOC Engagements
-
SOC 1 Engagements
- Assess the organization’s controls that might impact the accuracy of financial reporting.
-
SOC 2 Engagements
- Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA.
-
SOC 3 Engagements
- Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.
-
-
SOC Reporting
-
Type I Reports
- These reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls. Type I reports also cover only a specific point in time, rather than an extended period. You can think of the Type I report as more of a documentation review where the auditor is checking things out on paper and making sure that the controls described by management are reasonable and appropriate.
-
Type II Reports
- These reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly. The Type II report also covers an extended period of time: at least six months of operation. You can think of the Type II report as more like a traditional audit. The auditors are not just checking the paperwork; they are also going in and verifying that the controls function properly. Type II reports are considered much more reliable than Type I reports because they include independent testing of controls. Type I reports simply take the service organization at their word that the controls are implemented as described.
-
-
-
Patch Management Patches
-
• Evaluate patches
-
• Test patches
-
• Approve the patches
-
• Deploy the patches
-
• Verify that patches are deployed
-
-
Certification vs.
Accreditation-
Certification
- is the comprehensive technical evaluation of the security components and their compliance for the purpose of accreditation.
-
Accreditation
- is the formal acceptance of the adequacy of a system’s overall security and functionality by management
-
-
Configuration Management
-
Change Management
-
• Request the change
-
• Review the change
-
• Approve/reject the change
-
• Test the change
-
• Schedule and implement the change
-
• Document the change
-