Domain 6: Security Assessment and Testing
Study Notes
CONCEPT: Always get written senior management approval before performing any kind of system testing.
Techniques to Test The Security of an Organization
-
Penetration testing (White hat, ethical hacking)
-
Automated programs (Nessus, GFI LANGuard, MetaSploit)
-
Test a system on your own
-
Review and audit logs
-
Get ISO 27001 certified
​
Testing the Security of Software
Why Do We Need Vulnerability Testing?
CONCEPT: Always get written senior management approval before performing any kind of system testing.
-
Penetration testing or other types of testing, is the only true way to gauge the security standing of a company
-
Third-party or external testers are effective as they can identify vulnerabilities with an unbiased evaluation
-
Not all companies are alike, each has their own custom applications or techniques for strengthening security, and each requires different or custom tests and assessments
-
One type of test does not work for all organizations​
-
-
FUN FACT
-
US Navy SEAL Team 6 used to test the security of Naval bases across the country by breaking into them successfully in the 1980s.
-
These tests were done by the founder of SEAL Team 6, Richard Marcinko
-
It is rumored that he did his job too well, almost embarrassing the Navy
-
​
THE THING ABOUT SECURITY TESTING
Testing should be conducted annually, so at least once every year.
​
Because what test was done on systems, networks, or applications today, may not have the same result tomorrow.
3 Types of Testing
CONCEPT: Always get written senior management approval before performing any kind of system testing.
-
Administrative Testing - The testing of PEOPLE
-
All-around general auditing and testing
-
Regular drug-testing​
-
Social-engineering experiments
-
Reviewing procedures and standards are up to date
-
Regular security awareness training and quizzes
-
-
Technical Testing - The testing of NETWORKS and SYSTEMS
-
Penetration testing
-
Network scanning
-
Network attacks using Kali Linux
-
Wardialing
-
Vulnerability Scanning
-
File integrity checks
-
Brute force attacks on passwords
-
Hiring white hat hackers to conducts operations
-
Automated network or application scans
-
Network Discovery
-
Port scans​
-
Ping sweeps
-
DDOS
-
-
-
Physical Testing - The testing of BUILDINGS and EQUIPMENT
-
Social-engineering experiments
-
Fence/perimeter checks
-
Fire drills and alarm drills
-
Trash and dumpsters located in secure areas to prevent dumpster diving
-
Are paper shredders secured?
-
Emergency fail-open and fail-secure tests
-
Do biometric devices balance Type 1 and Type 2 errors?
-
Difference Between Penetration and Vulnerability Testing
-
Penetration Testing
-
Technical in nature​
-
Associated with black, white, gray hat hacking
-
Find vulnerabilities AND exploit them
-
Get access to data objects, files, or systems
-
Test the function of the Incident Response Team
-
Helps to understand business impact
-
Look for any small vulnerabilities that can be escalated to a higher privilege level (privilege escalation)
-
Helps to understand security impact
-
A penetration test can help determine how much money senior management should allocate for the security team
-
-
Vulnerability Testing (and Assessment)
-
Technical, quantitative, qualitative in nature​
-
Assign a risk score to critical assets
-
Associated with black, white, gray hat hacking
-
Find vulnerabilities AND identify them
-
Do not exploit them​
-
-
No reason to access data objects, files or systems
-
How to Avoid Going to a Federal Prison for Hacking
(When you're actually doing a penetration test)
BEFORE CONDUCTING A PENETRATION TEST :
​
-
GET A WRITTEN AGREEMENT BETWEEN YOU AND THE ORGANIZATION
-
AGREE UPON AN EXACT TIME AND DATE
-
NOTIFY ALL AFFECTED PERSONNEL
-
WHO DO I CONTACT FOR MATTERS OF URGENCY?
​
AFTER CONDUCTING A PENETRATION TEST :
​
-
CREATE A WRITTEN REPORT OF FINDINGS
-
SECURELY SEND THE REPORT TO SENIOR MANAGEMENT
​