Domain 6: Security Assessment and Testing
Study Notes
CONCEPT: Always get written senior management approval before performing any kind of system testing.
Techniques to Test The Security of an Organization
-
Penetration testing (White hat, ethical hacking)
-
Automated programs (Nessus, GFI LANGuard, MetaSploit)
-
Test a system on your own
-
Review and audit logs
-
Get ISO 27001 certified
Testing the Security of Software
Why Do We Need Vulnerability Testing?
CONCEPT: Always get written senior management approval before performing any kind of system testing.
-
Penetration testing or other types of testing, is the only true way to gauge the security standing of a company
-
Third-party or external testers are effective as they can identify vulnerabilities with an unbiased evaluation
-
Not all companies are alike, each has their own custom applications or techniques for strengthening security, and each requires different or custom tests and assessments
-
One type of test does not work for all organizations
-
-
FUN FACT
-
US Navy SEAL Team 6 used to test the security of Naval bases across the country by breaking into them successfully in the 1980s.
-
These tests were done by the founder of SEAL Team 6, Richard Marcinko
-
It is rumored that he did his job too well, almost embarrassing the Navy
-
THE THING ABOUT SECURITY TESTING
Testing should be conducted annually, so at least once every year.
Because what test was done on systems, networks, or applications today, may not have the same result tomorrow.
3 Types of Testing
CONCEPT: Always get written senior management approval before performing any kind of system testing.
-
Administrative Testing - The testing of PEOPLE
-
All-around general auditing and testing
-
Regular drug-testing
-
Social-engineering experiments
-
Reviewing procedures and standards are up to date
-
Regular security awareness training and quizzes
-
-
Technical Testing - The testing of NETWORKS and SYSTEMS
-
Penetration testing
-
Network scanning
-
Network attacks using Kali Linux
-
Wardialing
-
Vulnerability Scanning
-
File integrity checks
-
Brute force attacks on passwords
-
Hiring white hat hackers to conducts operations
-
Automated network or application scans
-
Network Discovery
-
Port scans
-
Ping sweeps
-
DDOS
-
-
-
Physical Testing - The testing of BUILDINGS and EQUIPMENT
-
Social-engineering experiments
-
Fence/perimeter checks
-
Fire drills and alarm drills
-
Trash and dumpsters located in secure areas to prevent dumpster diving
-
Are paper shredders secured?
-
Emergency fail-open and fail-secure tests
-
Do biometric devices balance Type 1 and Type 2 errors?
-
Difference Between Penetration and Vulnerability Testing
-
Penetration Testing
-
Technical in nature
-
Associated with black, white, gray hat hacking
-
Find vulnerabilities AND exploit them
-
Get access to data objects, files, or systems
-
Test the function of the Incident Response Team
-
Helps to understand business impact
-
Look for any small vulnerabilities that can be escalated to a higher privilege level (privilege escalation)
-
Helps to understand security impact
-
A penetration test can help determine how much money senior management should allocate for the security team
-
-
Vulnerability Testing (and Assessment)
-
Technical, quantitative, qualitative in nature
-
Assign a risk score to critical assets
-
Associated with black, white, gray hat hacking
-
Find vulnerabilities AND identify them
-
Do not exploit them
-
-
No reason to access data objects, files or systems
-
How to Avoid Going to a Federal Prison for Hacking
(When you're actually doing a penetration test)
BEFORE CONDUCTING A PENETRATION TEST :
-
GET A WRITTEN AGREEMENT BETWEEN YOU AND THE ORGANIZATION
-
AGREE UPON AN EXACT TIME AND DATE
-
NOTIFY ALL AFFECTED PERSONNEL
-
WHO DO I CONTACT FOR MATTERS OF URGENCY?
AFTER CONDUCTING A PENETRATION TEST :
-
CREATE A WRITTEN REPORT OF FINDINGS
-
SECURELY SEND THE REPORT TO SENIOR MANAGEMENT