In today’s world, rigorous security is not a luxury but an absolute necessity. With the advent of technology, businesses have been setting up online infrastructures and, in doing so, have introduced more targets for the hacking community. Therefore, it is the need of the hour for network security experts to perform adequate security assessment and testing.
CISSP (certified information systems security professional) certification is one of the leading information security certifications in the world and it has security assessment and testing as an integral part of its CBK. The objectives of the article include talking about the concepts of security assessment and testing CISSP aspirants should know about, along with high-level overviews of the strategies, testing methods, and operational controls that a security enforcer should know about.
WHAT IS SECURITY ASSESSMENT AND TESTING?
As the name suggests, security assessment is the process of analyzing the security standards of a system. During the process, we scrutinize the system for any possible vulnerabilities, risks, or threats. Most of the time, assessing and testing the security involves the following steps:
One example of a security test can be the Open web application security project (OWASP), which can be used to test a system against some of the most common threats posed to systems hosted online. More information and the complete testing guide can be found here.
Security Assessment and CISSP
There are many certifications that require an aspirant to be substantially well-versed with the security assessment and testing techniques and/or standards; the CISSP certification is no different. (ISC)2’s motto, “Inspiring a safe and secure cyber world” would not be justified if they didn’t pay enough attention to the need for sophisticated security testing acumen.
Security Assessment and Testing is the fifth domain of the CISSP CBK that looks like this:
In order to be adequately prepared for the fifth domain of the CISSP exam, an aspirant needs to:
Understand the different international legal issues.
Understand various investigative techniques.
Understand, and be able to practically implement, forensic procedures.
Understand the threats and vulnerabilities that could be present in a generic system.
Be well-versed in managing third-party governance.
Out of the many threats that need to be catered for, here are a few of the most common ones:
The elevation of privilege attack:
In a privilege elevation attack, a hacker does exactly what the name of the attack suggests: Elevates their privileges on a system, from, say, “User” to “Administrator.” This can be avoided by implementation of periodically updated ACLs (access control lists).
URL manipulation is one of the easiest ways to hack a system and, even though most of the systems these days are prone to such attacks, there are some vulnerable infrastructures that can be accessed via manipulation of the URL. To avoid this, network engineers need to implement rigorous authentication and/or authorization techniques.
Denial of service:
A denial of service (DOS) attack makes a machine or any other resource of a system unavailable to the authorized administrative staff. These are really sophisticated attacks and adequate care needs to be taken to prevent these from happening. More information can be read here.
Spoofing of identity:
In such an attack, a hacker impersonates a legitimate user of a system to gain access to important resources on a system.
These were only some of the renowned attacks; a more concrete list can be found here.
SECURITY TESTING TECHNIQUES
We can’t enforce absolute security on a system but, if adequate security assessment tests are run, they can go a long way toward ensuring that the system is free of the most rudimentary vulnerabilities that can be present in network architecture. Some of the techniques are:
Not all the hackers in the world are despicable; the white-hat or ethical hackers are people with exemplary hacking knowledge who use their prowess to detect possible flaws in a system. An ethical hacker tries to bypass the security of a system using the most sophisticated techniques and tools, but only to find the possible vulnerabilities in a system.
Penetration testing is another technique by which a tool (or an expert) tries to penetrate the system through the network to find out possible points of attack. More on the matter here.
Load testing of a system should also be performed before making it live. In such a process, a system is tested with the maximum (expected) load and its performance is judged. An example can be sending multiple thousand requests to a server simultaneously to check its efficiency.
This detailed OWASP guide on security testing can be consulted for further information on the matter.
In order to prepare for security testing, the following approach can be taken:
The study of the security architecture should be the first step. In this step, the business requirements, objectives and security goals need to be understood in terms of the firm’s security compliance.
The security architecture needs to be analyzed.
Once analyzed, we need to classify the security testing. This step includes collecting the system setup data that was used to develop software and network entities (e.g., hardware, technology, and operating systems etc.). Pen down the security risks and vulnerabilities found.
A threat profile now needs to be created to model the threats.
Once the threat has been identified and the vulnerabilities found, carry out the preparation of the test plan to cater for the issues and/or threats.
A traceability matrix needs to be created for every threat, vulnerability, and security risk.
At this stage, if you require a tool to carry out the testing (tools are mentioned in the following section), choose it wisely and use it to test.
Prepare the case document for the security tests.
Execute the test cases.
Prepare a detailed report indicating the types of threats, vulnerabilities, and risks found, along with details of how they were dealt with.
TOOLS TO USE
The most exquisite security testing tools are:
The Browser Exploitation Framework is an engine that uses a browser to infiltrate a system. It will run on Linux, Apple MAC OS X and Windows operating systems. More information can be found here.
An open source vulnerability scanner, brakeman is designed specifically for Ruby on Rails applications. It will help a developer analyze code to find security issues. Visit the website to get more information.
Nikto is a web server scanner that can help detect incorrect data and obsolete software configurations (among other things) that are running or present on a server. It can be used to perform comprehensive tests on servers. Visit the official website for more information.
An open-source, OS-independent web-app security (analysis and testing) suite, Oedipus can be used to parse various kinds of logs (off-line) to identify security vulnerabilities and risks. Find more information here.
Paros is a HTTP/HTTPS proxy written in Java that can be used to find potential vulnerabilities in a web application. The scanners can intercept (and modify) all the data between server and clients, including cookies and form fields.
These are only some of the most recommended testing tools, a complete list of testers and analyzers can be found here.
CISSP Instant Pricing- Resources
Making a system secure and completely devoid of the most common vulnerabilities is no longer something that can be given secondary importance in the online world of today. Most of the security analyzing tools are open source and thus should be used rigorously to find out and eliminate the vulnerabilities and risks present in a system.