Security Assessment & Testing
Introduction
Security assessment and testing programs provide a mechanism for validating the ongoing effectiveness of security controls. It's crucial for organizations to have a security assessment and testing program defined and operational.
Remember: We are not expected to know everything. It's reasonable to consult with an expert when needed.
Exam Outline
- Design and Validate assessment, test, and audit strategies
- Conduct security control testing
- Collect security process data (technical and administrative)
- Analyze test output and generate report
- Conduct or facilitate security audits
Though it's a short domain by numbers, there's a high expectation of what we must know and perform.
Assessment and Testing
Vulnerability Assessment vs. Penetration Tests
- Vulnerability Assessments:
- Use automated tools.
- Search for known vulnerabilities in applications and networks.
Vulnerability flaws can be due to missing patches, incorrect configurations, or faulty code.
- Penetration Tests:
- Use tools and attack techniques.
- Attempt to exploit vulnerabilities and access systems.
For penetration tests, it's common to quote both vulnerability assessments and penetration tests to clients.
Penetration Test Strategies
- War Dialing
- Sniffing
- Eavesdropping
- Dumpster Diving
- Social Engineering
Human-involved tests might be costly but are more thorough.
Remember: every organization should have a security assessment and testing program defined.
Security Process Data
- Employment Policies and Practices
- Define/write and communicate termination processes.
- Implement regular background checks.
- Roles and Responsibilities
- Management sets and communicates the policies.
- Security Awareness Training (SAT)
- Trains employees against social engineering and phishing attacks.
- Software Testing
- Conduct tests before deploying to production.
- Tests verify code functionality and absence of security flaws.
- Use peer review processes to validate code.
- Assess interactions via API testing, UI testing, and physical interface testing.
Code review can be formal or informal, but it's essential before deployment.
Software Testing
Key Performance & Risk Indicators
Provide insights into the security program's effectiveness. Controls may not remain effective indefinitely.
Types of Software TestingTests
6.1 Static vs. Dynamic Testing
- Static: Evaluates software without running it. Analyzes the source code or compiled application.
- Dynamic: Evaluates software in a runtime environment. Often the only option for organizations deploying applications written by another party and the code is proprietary.
[SuccessYou Callout] It's beneficial tocan run software in a runtimedynamic environment even if you have the code to ensure its functionality, scalability, and security.
6.2 Fuzzing
- Modifies inputs to test software response.
- Can detect vulnerabilities like SQL injections.
- Generational fuzzing uses expected inputs for the same task.
7. Security Management Oversight
- Conduct log reviews, especially for admin activities.
- Review account management practices.
- Ensure backups function correctly.
[Danger Callout] Backup verification is the most critical element.
8. Key Performance & Risk Indicators
Provide insights into the security program's effectiveness. Controls may not remain effective indefinitely.
9. Internal and External Audits
9.1 Security Audits
- Performed by third parties.
- Assess the security controls of an organization's assets.
9.2 Internal Audits
- Conducted by internal staff.
- Intended for management use.
[Information Callout] For the exam, assume "audit" refers to a 3rd-party audit unless stated otherwise.