Conduct Security Control Testing- Part 1
One of the most important topics in CISSP course is conduct security control testing. In this part of this tutorial, we’ll take a look at control testing to help you understand the different aspects of control testing. Security control testing employs various tools and techniques, including vulnerability assessments, penetration testing, synthetic transactions, interfaces testing, and more. Security control testing can include testing of the physical facility, logical systems, and applications.
Here are the common testing methods:
- Vulnerability Assessment
- Penetration Testing
- Log Reviews
- Synthetic Transactions
- Code Review and Testing
- Misuse Case Testing
- Test Coverage Analysis
- Interface Testing
Vulnerability Assessment
A vulnerability assessment is performed to identify, evaluate, quantify, and prioritize security weaknesses in an application or system. The purpose of this assessment is to identify elements in an environment that are not effectively protected.
These assessments can include personnel testing, physical testing, system and network testing, and other facilities’ testing. Vulnerability in an IT system can be considered as an error. Being a technical error, a vulnerability may allow a security violation to happen.
There are three general types of vulnerability assessments:
- Port scan: A port scan uses a tool that communicates over the network with one or more target systems on various TCP/IP ports.
- Vulnerability scan: Network-based vulnerability scanning tools send specially crafted messages to running programs to see if those programs contain any exploitable vulnerabilities. These tools attempt to identify the version of any programs. Scanning tools contain a database of known vulnerabilities associated with program versions. These scanning tools also send network messages to systems in a network to identify any utilities, programs, or tools that may be configured to communicate over the network. Examples of network-based vulnerability scanning tools include Nessus, and Rapid7. Examples of system-based vulnerability scanning tools include Microsoft Baseline Security Analyzer (MBSA) and Flexera PSI. Examples of application scanning tools include IBM AppScan, HP WebInspect, and Accunetix.
- Penetration test: It is most intensive assessment. We will discuss about this test in detail in the next section of this article.
Penetration Testing
It is the most rigorous form of vulnerability assessment. Penetration tests discover the exploitation possibilities of identified or unidentified vulnerabilities that are present in the software but are yet to be identified or published. In other words, an organization will employ a penetration test on a target system or environment when it wants to simulate an actual attack to itself.
Penetration testing consists of the following five steps:
- Discovery: Footprinting and gathering information about the target.
- Enumeration: Performing port scans and resource identification methods.
- Vulnerability mapping: Identifying vulnerabilities in identified systems and resources.
- Exploitation: Attempting to gain unauthorized access by exploiting vulnerabilities.
- Report to management: Delivering documentation of test findings along with suggested countermeasures to the management.
Attack techniques can include spoofing, bypassing authentication, and more.
Penetration tests can assess web servers, File servers, DNS servers, router configurations, open ports, workstation vulnerabilities, access to sensitive information, remote dial-in access, and available services’ properties.
Penetration testing includes three domain:
- Network penetration testing
- Application penetration testing
- Physical penetration testing
Network Penetration Testing
This test of systems and network devices, generally begins with a port scan and/or a vulnerability scan. This test uses automated/manual techniques to identify and confirm vulnerabilities.
When performing a penetration test, the pen tester (It is a term used to refer to a person performing penetration test) will often take screenshots showing the exploited system or device. Why is he/she taking pictures? Because system/device owners usually don’t believe that their environments contain exploitable vulnerabilities. So the pen tester must have a document to prove her claim.
Pen testers often include details for reproducing exploits in their reports and that this is helpful for system or network engineers to they can see the vulnerability does by details.
In addition to what we have said so far, there are some other techniques in the topic of network penetration testing, including:
- Eavesdropping: generally, an eavesdropper takes advantage of one or more persons who are talking or using a computer — and paying little attention to whether someone else is listening to their conversations or watching them.
- War dialing: Hackers use war dialing to sequentially dial all phone numbers in a range to discover any active modems. The hacker then attempts to connect to active modems.
- War driving: Someone uses a laptop computer and drives around a densely populated area, looking to discover unprotected (or poorly protected) wireless access points.
- Packet sniffing: A packet sniffer is a tool that captures all TCP/IP packets on a network. In an Ethernet network, all devices on the LAN can (theoretically) view all packets. A NIC (Network Interface Card) that operates in promiscuous mode accepts all packets, not just the packets destined for the system and sends them to the operating system.
- Radiation monitoring: Radio frequency emanations are the electromagnetic radiation emitted by computers and network devices. Radiation monitoring is similar to packet sniffing and war driving in that someone uses complex equipment to try to find out what data is being displayed on monitors, or transmitted on LANs, or processed in systems.
Application Penetration Testing
An application penetration test is used to identify vulnerabilities in a software application. In fact, the best application pen testers are often former software developers or software engineers.
Physical Penetration Testing
Penetration tests are performed on the controls protecting physical premises, to see whether it is possible for an intruder to bypass security controls such as keycard-controlled entrances.
Sometimes pen testers will employ various social engineering techniques to gain unauthorized access to sensitive areas such as file storage rooms.
Organizations in highly competitive environments need to be concerned about where their trash and recycled paper goes.
Social engineering is any testing technique that employs some means for tricking individuals into performing some action or providing some information.
Social engineering- for example- involves an attacker pretending to be a support technician. So, attacker calling to an employee and asking his/her password. The employee is deceived and gives his/her password to this technical supporter – actually the attacker.
Some of the ruses used in social engineering tests include the following:
- Phishing messages: Email messages purporting to be something they’re not, in an attempt to lure someone into opening a file or clicking a link.
- Telephone calls: The attacker makes a phone call to an employee, and introduces himself as a network supporter. Then, the attacker helps the employee to reset his password and of course understand the new password. Now attacker can use this employee’s account to infiltrate.
- Tailgating: Attempts to enter a restricted work area by following legitimate personnel as they pass through a controlled doorway. Sometimes the tester will be carrying boxes in the hopes that an employee will hold the door open for them, or they may pose as a delivery or equipment repair person. So the guards have to be very careful about the entry of such people.