Skip to main content

Summary

Introduction

Security assessment and testing programs provide a mechanism for validating the ongoing effectiveness of security controls. It's crucial for organizations to have a security assessment and testing program defined and operational.

Remember: We are not expected to know everything. It's reasonable to consult with an expert when needed.

Exam Outline

  1. Design and Validate assessment, test, and audit strategies
  2. Conduct security control testing
  3. Collect security process data (technical and administrative)
  4. Analyze test output and generate report
  5. Conduct or facilitate security audits

Though it's a short domain by numbers, there's a high expectation of what we must know and perform.

Assessment and Testing

Security Assessment Under NIST 800-53A:

Security assessments as per NIST 800-53A encompass four integral components:

  1. 📜 Specifications: These are the documents related to the system under review.

  2. 🚶‍♂️ Activities: These are the tasks performed by personnel within an information system.

  3. 🔒 Mechanisms: Controls used within an information system to meet the specifications.

  4. 👥 Individuals: These are the key players responsible for enacting specifications, mechanisms, and activities.

Individuals are not just users; they also play an big role in implementing security specifications and mechanisms.

Vulnerability Assessment vs. Penetration Tests

  • Vulnerability Assessments:
    • Use automated tools.
    • Search for known vulnerabilities in applications and networks.

Vulnerability flaws can be due to missing patches, incorrect configurations, or faulty code.

  • Penetration Tests:
    • Use tools and attack techniques.
    • Attempt to exploit vulnerabilities and access systems.

For penetration tests, it's common to quote both vulnerability assessments and penetration tests to clients.

Penetration Test Strategies

  • War Dialing
  • Sniffing
  • Eavesdropping
  • Dumpster Diving
  • Social Engineering

Human-involved tests might be costly but are more thorough.

 Remember: every organization should have a security assessment and testing program defined.

Security Process Data

  • Employment Policies and Practices
    • Define/write and communicate termination processes.
    • Implement regular background checks.
      • Health records are not typically part of a background check
  • Roles and Responsibilities
    • Management sets and communicates the policies.
  • Security Awareness Training (SAT)
    • Trains employees against social engineering and phishing attacks.
  • Software Testing
    • Conduct tests before deploying to production.
    • Tests verify code functionality and absence of security flaws.
    • Use peer review processes to validate code.
    • Assess interactions via API testing, UI testing, and physical interface testing.

Code review can be formal or informal, but it's essential before deployment.

Software Testing

Security Management Oversight

  • Conduct log reviews, especially for admin activities.
  • Review account management practices.
    • There are some tools that can help make this workflow more efficient, but it should still be manually reviewed. 
  • Ensure backups function correctly.
  • Key Performance and Log Indicators
    • Provide insights into the security program's effectiveness. Controls may not remain effective indefinitely

Backup verification is the most critical element.

Types of Software Tests

Static vs. Dynamic Testing

  • Static: Evaluates software without running it. Analyzes the source code or compiled application.
  • Dynamic: Evaluates software in a runtime environment. Often the only option for organizations deploying applications written by another party and the code is proprietary. 

You can run software in a dynamic environment even if you have the code to ensure its functionality, scalability, security.

Fuzzing

  • Modifies inputs to test software response.
  • Can detect vulnerabilities like SQL injections.
  • Generational fuzzing uses expected inputs for the same task.

Interface Testing

While interfaces allow integration of complex systems in the digital world, they might also pose security risks. Interface testing confirms that security standards are met. Interface testing:

  • Evaluates how different software modules, developed by multiple teams, interact based on well-defined interfaces

    • Examples include Web Browsers, 

  • Ensures that modules will function cohesively when development efforts are completed.

Types of Interfaces:

Interface Type Description Key Points
Application Programming Interfaces (APIs) Standardized interaction between code modules. Can be exposed externally via web services. Need to validate that all security requirements are upheld. - Code module interaction
- External exposure via web services
- Security validation
User Interfaces (UIs) Examples: Graphical user interfaces (GUIs), command-line interfaces. Allows end users to communicate with the software. Must ensure all UIs function as intended. - GUIs and command-line interfaces
- End user communication
- Functionality verification
Physical Interfaces Found in applications that control physical machinery or logic controllers. Require meticulous testing due to potential consequences of failures. - Controls physical machinery
- Meticulous testing
- Consequence awareness

Website Monitoring

Monitoring Description Use Case
Passive

- Analyzes genuine network traffic.
- Provides insights into actual network activities
- Uses Real User Monitoring (RUM) to track user interactions

-When there's a need to troubleshoot real-world issues reported by users.

-To capture specific traffic for reported issues
Synthetic (Active) 

- Executes artificial transactions on a website.

- Gauges performance through requests

- To proactively identify potential issues before they occur

- When performance benchmarks or thresholds need to be tested. 

Back to top