Skip to main content

Summary

Introduction

Security assessment and testing programs provide a mechanism for validating the ongoing effectiveness of security controls. It's crucial for organizations to have a security assessment and testing program defined and operational.

Remember: We are not expected to know everything. It's reasonable to consult with an expert when needed.

Exam Outline

  1. Design and Validate assessment, test, and audit strategies
  2. Conduct security control testing
  3. Collect security process data (technical and administrative)
  4. Analyze test output and generate report
  5. Conduct or facilitate security audits

Though it's a short domain by numbers, there's a high expectation of what we must know and perform.

Assessment and Testing

Security Assessment Under NIST 800-53A:

Security assessments as per NIST 800-53A encompass four integral components:

  1. 📜 Specifications: These are the documents related to the system under review.

  2. 🚶‍♂️ Activities: These are the tasks performed by personnel within an information system.

  3. 🔒 Mechanisms: Controls used within an information system to meet the specifications.

  4. 👥 Individuals: These are the key players responsible for enacting specifications, mechanisms, and activities.

Individuals are not just users; they also play an big role in implementing security specifications and mechanisms.

Vulnerability Assessment vs. Penetration Tests

  • Vulnerability Assessments:
    • Use automated tools.
    • Search for known vulnerabilities in applications and networks.

Vulnerability flaws can be due to missing patches, incorrect configurations, or faulty code.

  • Penetration Tests:
    • Use tools and attack techniques.
    • Attempt to exploit vulnerabilities and access systems.

For penetration tests, it's common to quote both vulnerability assessments and penetration tests to clients.

Penetration Test Strategies

  • War Dialing
  • Sniffing
  • Eavesdropping
  • Dumpster Diving
  • Social Engineering

Human-involved tests might be costly but are more thorough.

 Remember: every organization should have a security assessment and testing program defined.

Security Process Data

  • Employment Policies and Practices
    • Define/write and communicate termination processes.
    • Implement regular background checks.
  • Roles and Responsibilities
    • Management sets and communicates the policies.
  • Security Awareness Training (SAT)
    • Trains employees against social engineering and phishing attacks.
  • Software Testing
    • Conduct tests before deploying to production.
    • Tests verify code functionality and absence of security flaws.
    • Use peer review processes to validate code.
    • Assess interactions via API testing, UI testing, and physical interface testing.

Code review can be formal or informal, but it's essential before deployment.

Software Testing

Types of Software Tests

Static vs. Dynamic Testing

  • Static: Evaluates software without running it. Analyzes the source code or compiled application.
  • Dynamic: Evaluates software in a runtime environment. Often the only option for organizations deploying applications written by another party and the code is proprietary. 

You can run software in a dynamic environment even if you have the code to ensure its functionality, scalability, security.

Fuzzing

  • Modifies inputs to test software response.
  • Can detect vulnerabilities like SQL injections.
  • Generational fuzzing uses expected inputs for the same task.

Security Management Oversight

  • Conduct log reviews, especially for admin activities.
  • Review account management practices.
    • There are some tools that can help make this workflow more efficient, but it should still be manually reviewed. 
  • Ensure backups function correctly.
  • Key Performance and Log Indicators
    • Provide insights into the security program's effectiveness. Controls may not remain effective indefinitely

Backup verification is the most critical element.

Back to top