Building a Security Assessment and Testing Program

• Security Testing
• Verify a control is functioning properly.
• It's not sufficient to simply perform security tests.
• Security professionals must also carefully review the results of those tests to ensure that each test was successful.
• Security Assessments
• Are comprehensive reviews of the security of a system, application, or other tested environment.
• Security Audits
• Three main types of audits
  • internal audits
  • external audits
  • third-party audits
• Real World Scenario
• Internal Audits
• Internal audits are performed by an organization's internal audit staff and are typically intended for internal audiences.
• Chief Audit Executive (CAE)
• External Audits
• External audits are performed by an outside auditing firm.
• The so-called Big Four audit firms:(所谓的四大审计事务所)
  • Ernst & Young (EY, 安永会计师事务所 / アーンスト&ヤング, イギリス発)
  • Deloitte (DTT, 德勤会计师事务所 / デロイト、イギリス発)
  • PricewaterhouseCoopers (PwC, 普华永道会计师事务所 / プライスウォーターハウスクーパース, イギリス発)
  • KPMG (毕马威 / KPMG, イギリス発)
• Third-Party Audits
• Service Organization Controls
  • SOC 1 Engagements
  • SOC 2 Engagements
  • Audit results are confidential and only shared under an NDA.
  • SOC 3 Engagements
  • Audit results are intended for public disclosure.
• SOC reports
  • Type I Reports
  • Type I reports also cover only a specific point in time, rather than an extended period.
  • Type II Reports
  • The Type II report also covers an extended period of time: at least six months of operation.
  • Mush more reliable then Type I reports.
• Auditing Standards
• COBIT (Control Objectives for Information and Related Technologies)
  • Describes the common requirements that organizations should have in place surrounding their information systems.
• ISO 27001
  • Describes a standard approach for setting up an information security management system.

Performing Vulnerability Assessments

• Describing Vulnerabilityes
• NIST : Security Content Automation Protocol (SCAP)
  • CVE
  • CVSS
  • CCE
  • CPE
  • XCCDF
  • OVAL
• Vulnerability Scans
• Four main categories of vulnerability scans:
  • Network dicovery scans (网络诊断扫描)
  • Network vulnerability scans (网络漏洞扫描)
  • Web application vulnerability scans (Web应用程序漏洞扫描)
  • Database vulnerability scans (数据库漏洞扫描)
• Network Dicovery Scanning
  • Techniques to identify open ports on remote systems
  • TCP SYN Scanning (also known as "half-open" scanning)
    • Sends a SYN packet and receives a SYN ACK packet in response, but it does not send the final ACK required to complete the three-way handshake.
  • TCP Connect Scanning
  • TCP ACK Scanning
  • UDP Scanning
  • Xmas Scanning
  • The most common tool for network dicovery scanning is nmap. Current state of the port:
  • Open - open & there is an application actively accepting connections on that port.
  • Closed - accessible but there is no application accepting connection.
  • Filtered - unable to determine open or closed (a firewall is interfering with the connection)
  • netstat command
  • Lists all active network connections on a system as well as those ports that are open and awaiting new connectons.
• Network Vulnerability Scanning
  • Network vulnerability scans go deeper than discovery scans.
  • false positive report (假阳性报告 / 誤検知レポート)
  • false negative report (假阴性报告 / 偽陰性報告)
  • By default, network vulnerability scanners run unauthenticated scans.
  • Performing authenticated scans of systems can reduce false prositive/negative reports.
• Web Vulnerability Scanning
  • Special-purpose tools that scour web applications for known vulnerabilities.
  • May discover flaws not visible to network vulnerability scanners.
  • Nessus
  • OWASP
• Databasae Vulnerability Scanning
  • Tools that allow security professionals to scan both databases and web applications for vulnerabilities that may affect database security.
  • Sqlmap
• Vulnerability Management Workflow
  • A workflow approach to managing vulnerabilities should also be developed.
  • The basic steps:
  1. Detection
  2. Validation (Confirming the vuln to detemine it is not a false positive report)
  3. Remediation
• Penetration Testing
  • NIST defines four phases
  1. Planning
  2. Information gathering and discovery
  3. Attack
  • tool: Metasploit Framework
  • Three groups categoried of the tests
  • White-Box Penetration Test ("known environment" test)
    • Provides the attackers with detailed information.
    • Bypasses many of the reconnaissance steps.
    • Shortening the time.
    • Increasing the likelihood that it will find security flaws.
  • Gray-Box Penetration Test ("partially known environment" test)
    • Partical knowledge tests.
    • Balance the advantages and disadvantages os white- and black-box penetraton tests.
  • Black-Box Penetration Test ("unknown environment test")
    • Simulates an external attacker.
• Compliance Checks
  • An important part of security testing and assessment programs for regulated firms.

Testing Your Software

• Code Review and Testing
• Code Review (also known as peer review)
  • Fagan inspections (The most formal code review processes)
  1. Planning
  2. Overview
  3. Preparation
  4. Inspection
  5. Rework
  6. Follow-up
• Static Testing
  • Static application security testing (SAST)
• Dynamic Testing
  • Dynamic application security testing (DAST)
  • IAST (Interactive application security testing)
  • RASP (Runtime Applications Self-Protection)
• Fuzz Testing
  • A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.
  • Categories
  • Mutation (Dumb) Fuzzing (突变模糊测试)
    • Uses bit flipping and other techniques to slightly modify previous inputs to a program in an attempt to detect software flaws.
  • Generational (Intelligent) Fuzzing
• Interface Testing
  • Three types
  • APIs
  • User Interfaces (UIs)
    • Includes assessments of both graphical user interfaces (GUIs) and command-line interfaces (CLIs) for a software program.
  • Physical Interfaces
• Misuse Case Testing (异常用例测试)
• Test Coverage Analysis
  • Five common criteria (五个共同标准)
  • Branch coverage
  • Condition coverage
  • Function coverage
  • Loop coverage
  • Statement coverage
• Website Monitoring
  • Passive monitoring
  • Real user monitoring (RUM)
  • Synthetic monitoring (or active monitoring)

Implementing Security Management Processes

• Log Reviews (日志审查)
• To ensure that privileged users are not abusing their privileges.
• Account Management
• To ensure that users retain authorized permissionsn and that unauthorized modifications do not occur.
• Organizations that do not have time to conduct this thorough process may use sampling instead.
• Disaster Recovery and Business Continuity
• Consistent backup programs are an extremely important component of these efforts.
• Training and Awareness (培训和认识)
• Many organizations use phishing simulations to evaluate the effectiveness of their security awareness programs.
• Key Performance and Risk Indicators
• Number of open vulnerabilities
• Time to resolve vulnerabilities
• Vulnerability/defect recurrence
• Number of compromised accounts
• Number of software flaws detected in preproduction scanning
• Repeat audit findings
• User attempts to visit known malicious sites

Summary

Exam Essentials

• Understand the importance of security assessment and testing programs.
• Conduct Vulnerability assessments and penetration tests.
• Perform software testing to validate code moving into production.
• Understand the difference between static and dynamic software testing.
• Explain the concept of fuzzing.
• Perform security management tasks to provide oversight to the information security program.
• Conduct or facilitate internal and third-party audits.
• Collect security process data.

Review Questions

1 A
2 D
3 D → C
4 C
5 A
6 C
7 B
8 B
9 D
10 C
11 D
12 C
13 B
14 A → C
15 A
16 A → B
17 B
18 B
19 B
20 C → B

正解率：16 / 20 = 80%