CISSP Domain 6 – Study Guide

Posted by SuperTechman
Security Control Testing

Security Control Testing

Organizations must manage the security control testing that occurs to ensure that all security controls are tested thoroughly by authorized individuals. Below we will cover the different methods used to properly conduct Security control testing.

  • Vulnerability assessment
  • Penetration testing
  • Log reviews
  • Synthetic transactions
  • Code review and testing
  • Misuse case testing
  • Test coverage analysis
  • Interface testing
  • Breach attack simulations
  • Compliance checks

Vulnerability testing

A vulnerability assessment is performed to helps to identify, evaluate, quantify, and prioritize the areas of weakness in an organisations system. One important step of this process is to determine asset prioritization within an organization. As discussed in Domain 1, A comprehensive vulnerability assessment is part of the risk management process.

Vulnerability assessments usually fall into one of three categories:

  • Personnel testing: Reviews standard practices and procedures that users follow.
  • Physical testing: Reviews facility and perimeter protections.
  • System and network testing: Reviews systems, devices, and network topology.

Vulnerability testing can generate a lot of traffic. So, this impact should be considered before.

Review for false positives, and document all the findings.

There are two types of scans :

  • Credentialed: The scanner has access to an account on the tested system that allows it to access parts of the system that are normally hidden to external entities.
  • Uncredentialed : The scanner does not have access to an account on the tested system.

Vulnerability assessment applications include Nessus, Open Vulnerability Assessment System (OpenVAS), Core Impact, Nexpose, GFI LanGuard, QualysGuard, and Microsoft Baseline Security Analyzer (MBSA). Of these applications, OpenVAS and MBSA are free

These testing tools should conform to :

  • SCAP : Security Content Automation Protocol (Developed by NIST)
  • OVAL : Open Vulnerability and Assessment Language.

Omce you have found a list of vulnerabilities, interpreting and classifying the results can be done using :

  • CVE : Common Vulnerability Enumeration.
  • CVSS : Common Vulnerability Scoring System.

Network Discovery Scan

A network discovery scan is where you will use a tool to examine a range of IP addresses to determine which ports are open. These scans will provide you with a list of systems on the network and the ports in use on the network. It does not actually check for any vulnerabilities.

Network discovery tools can perform the following types of scans:

  • TCP SYN scan: Sends a packet to each scanned port with the SYN flag set. If a response is received with the SYN and ACK flags set, the port is open.
  • TCP ACK scan: Sends a packet to each port with the ACK flag set. If no response is received, then the port is marked as filtered. If an RST response is received, then the port is marked as unfiltered.
  • Xmas scan: Sends a packet with the FIN, PSH, and URG flags set. If the port is open, there is no response. If the port is closed, the target responds with a RST/ACK packet.

Network Vulnerability Scan

Network vulnerability scans perform a more complex scan of the network than network discovery scans. These scans will probe a targeted system or network to identify vulnerabilities. The tools used in this type of scan will contain a database of known vulnerabilities and will identify if a specific vulnerability exists on each device.

There are two types of vulnerability scanners:

  • Passive vulnerability scanners: A passive vulnerability scanner (PVS) monitors network traffic at the packet layer to determine topology, services, and vulnerabilities. It avoids the instability that can be introduced to a system by actively scanning for vulnerabilities. PVS tools analyze the packet stream and look for vulnerabilities through direct analysis. They are deployed in much the same way as intrusion detection systems (IDSs) or packet analyzers. A PVS can pick a network session that targets a protected server and monitor it as much as needed. The biggest benefit of a PVS is its ability to do its work without impacting the monitored network. Some examples of PVSs are the Nessus Network Monitor (formerly Tenable PVS) and NetScanTools Pro.
  • Active vulnerability scanners: Whereas passive scanners can only gather information, active vulnerability scanners (AVSs) can take action to block an attack, such as block a dangerous IP address. They can also be used to simulate an attack to assess readiness. They operate by sending transmissions to nodes and examining the responses. Because of this, these scanners may disrupt network traffic. Examples include Nessus and Microsoft Baseline Security Analyzer (MBSA).

Penetration testing

Penetration testing is a more aggressive form of vulnerability testing where it does not only test for vulnerabilities, but it also tries to exploit them. Some organisations will employ a specialist pen tester to target certain systems and carry out simulated attacks.

According to NIST SP 800-115, the phases of penetration testing are:

  1. Planning – Prioritise assets and plan attack methods
  2. Discovery – Network and port scans
  3. Enumeration/ Perform scans
  4. Vulnerability mapping/ Identify vulnerabilities.
  5. Exploitation/ Attack. (Includes : Gain access, escalate, system browsing and installing additional tools)
  6. Reporting – document results and recommendations to management

Penetration testing includes three domain:

  • Network penetration testing
  • Application penetration testing
  • Physical penetration testing

There are two types of penetration testing :

  • White Hat (Overt) : The IT team is aware of the test.
  • Black Hat (Covert) : The IT team is not aware of the test (But management is fully aware of course).

Ethical Hacking

Ethical hacking is different from malicious hacking. The purpose of ethical hacking is to expose security flaws in the organization’s system.

Web Application Vulnerability Scan

Because web applications are highly used in today’s world, companies must ensure that their web applications remain secure and free of vulnerabilities. Web application vulnerability scanners are special tools that examine web applications for known vulnerabilities.

Popular web application vulnerability scanners include QualysGuard and Nexpose.

Log review

A log is a recorded event on a system an in-security logs can be very valuable when investigating incidents. Reviewing these logs can be overwhelming as most logs can be no critical events or false positives but the tedious task of review them are a critical step in security control testing and can potentially detect issues before they become major problems.. To help in this, a Security Information and Event Management (SIEM) solution can be used.

You should always check logs for integrity :

  • You should have a secure copy.
  • Any changes on logs must be logged.
  • You should hash logs for integrity checks.

Synthetic transactions

Synthetic transaction monitoring are actions run against a monitored system to see how it responds. Often used on websites and applications to provide an insight into the availability and performance on the system.

  • RUM (Real-User Monitoring) : Monitors actual users.
  • Synthetic performance monitoring: Using scripts that mimic a typical user. It is also called proactive monitoring.

Code Review and testing

Secure Code Review is part of the formal application development life cycle process and involved testing an application’s source code for security flaws, bad programming patterns, security misconfigurations, functional bugs, and logic flaws.

There are a lot of ways and techniques to perform code review and testing. These are some of the common ones that you should know about:

  • Manual : Conducted by a human.
  • Automatic : Using a software tool.
  • Black box : The tester does not have access to the code.
  • White box : The tester has access to the code.
  • Gray box : The tester has a certain level of knowledge about the inner workings of the system. (Between black box and white box).
  • Dynamic : Testing application while running.
  • Static : Testing the application without executing it.

For reviewing code, the following methods can be used:

  • Pair programming : the first person codes, the second person reviews, and then they switch.
  • Over-the-shoulder : One person codes, and another person only reviews.
  • Pass-around.
  • Tool-assisted.
  • Fagan inspection : Formal method of 6 steps : Planning, overview, preparation, meeting, rework and followup.

Use/Misuse case testing

Misuse case testing, also referred to as negative testing, tests an application to ensure that the application can handle invalid input or unexpected behavior. This testing is completed to ensure that an application will not crash and to improve the quality of an application by identifying its weak points. Misuse testing should include testing that looks for the following:

  • Use case : Tests based on how the user uses the system.
  • Misuse : Tests from the perspective of a malicious user.
  • Negative testing
    • Tests how the application would behave if there is an unexpected input.
    • Opposite : Positive testing.

Fuzz Testing

Fuzz testing is a dynamic testing tool that provides input to the software to test the software’s limits and discover flaws. The input provided can be randomly generated by the tool or specially created to test for known vulnerabilities.

Fuzz testers include Untidy, Peach Fuzzer, and Microsoft SDL File/Regex Fuzzer.

Test coverage analysis

Test coverage analysis determines the percentage of the code that the testing has covered. There are multiple coverage types :

  • Branch coverage
  • Condition coverage
  • Function coverage
  • Loop coverage
  • Statement coverage
  • Decision coverage

For each type, the test coverage = Tested code / complete application structure.

Ideally, the test coverage should be equal to 100%.

Interface Testing

Interface testing tests if the different components of the application operate well with each other.

Security Testing Frameworks

There are numerous security testing methodologies being used today by security auditors for technical control assessment. Four of the most common are as follows:

  • Open Source Security Testing Methodology Manual (OSSTMM)
  • Information Systems Security Assessment Framework (ISSAF)
  • NIST 800-115
  • Open Web Application Security Project (OWASP)

All of these frameworks provide a detailed, process-oriented manner in which to conduct a security test, and each has its particular strengths and weaknesses. Most auditors and penetration testers use these frameworks as a starting point to create their own testing process, and they find a lot of value in referencing them.


Source link