📝
Home
Pentesting
  • 📝Home
  • ⚒️PENTESTING
    • Foundational
      • Gaining Access
      • Session Hijacking
      • Buffer Overflows
        • Finding the Offset
        • Spiking
        • Fuzzing
      • Attack Basics
        • Brute Force Attacks
        • Credential Stuffing and Password Spraying
        • Netcat Shell Stabilization
        • Reverse Shells vs Bind Shells
        • Staged vs Non-Staged Payloads
      • Footprinting
    • Reconnaissance
      • Discovering Email Addresses
      • Hunting Subdomains
    • Scanning and Enumeration
      • Banner Grabbing
      • Enumerating HTTP and HTTPS
      • Enumerating SMB
      • Enumerating SSH
      • NetBIOS Enumeration
      • SNMP Enumeration
      • Sniffing
    • Privilege Escalation
      • 🐧Linux Privilege Escalation
      • 🪟Windows Privilege Escalation
        • Initial Enumeration
    • Defense Evasion
      • Hiding Files and Covering Tracks
      • Network Evasion
    • Attacking Services
      • Attacking Kerberos
      • Attacking VPNs
      • Denial of Service
      • Exploiting FTP
      • Exploiting NFS
      • Exploiting SMTP
      • Exploiting Telnet
    • Attacking Active Directory
      • Initial Attack Vectors
        • Gaining Shell Access
        • LLMNR Poisoning
        • SMB Relay
        • Passback Attacks
        • IPv6 Attacks
      • Post-Compromise Enumeration
        • Bloodhound
        • ldapdomaindump
        • PowerView
        • PlumHound
      • Post-Compromise Attacks
        • GPP Attacks
        • Print Nightmare
        • Token Impersonation using Incognito
        • URL File Attack
        • Pass Attacks
        • Kerberoasting
        • LNK File Attacks
        • Mimikatz
      • Post-Domain Compromise Attacks
        • Dumping the NTDS.dit
        • Golden Ticket Attacks
      • Post Exploitation
    • Toolkit
      • Burp Suite
        • Intruder
      • Hping
        • Crafting TCP and UDP Packets
      • Metasploit
        • Meterpreter
        • Shell Handler
        • Gather Information
        • Gaining Root
    • Web Application Hacking
      • Attack Methodology
      • Attacking Web Applications
      • Authentication Bypass
      • Cross-Site Scripting
      • Cross-Site Request Forgery
      • File Inclusion
      • Server-Side Request Forgery
      • Injection
        • Command Injection
        • LDAP Injection
        • SQL Injection
  • 👽MALWARE ANALYSIS
    • Malware Analysis Primer
    • Malware Types
      • Rootkits
      • Viruses
      • WannaCry
    • Analyzing Malicious Windows Programs
    • Static Analysis
      • Basic Static Techniques
      • Advanced Static Analysis
    • Reverse Engineering
      • Crash Course in x86 Disassembly
      • Recognizing Code in Assembly Language
    • Dynamic Analysis
    • Detecting Malware
      • Evasion Techniques
      • Detecting Mimikatz
      • Hunting Malware
      • Hunting Metasploit
      • Hunting Persistence
  • 🏹THREAT HUNTING
    • Foundational
      • ATT&CK Framework
      • CIA Triad
    • APTs
  • 🐍PROGRAMMING & SCRIPTING
    • Foundational
      • Computer Memory
    • C Programming
    • Assembly Language
      • Assembly File Structure
      • Debugging with gdb
    • Bash
    • Python
      • Foundational
        • Booleans and Operators
        • Comprehensions
        • Conditionals
        • Dictionaries
        • Exceptions and Error Handling
        • Functions
        • Lambdas
        • Lists
        • Loops
        • Modules
        • Numbers
        • Reading and Writing Files
        • Sets
        • Sockets
        • String Formatting
        • Tuples
        • User Input
        • Variables
      • Extending Python
        • Virtual Environments
        • Sys Module
        • Requests
        • pwntools
    • Regular Expressions
    • SQL
  • 🕵️DIGITAL FORENSICS
    • Anti-Forensic Techniques
    • 🪟Windows Security Internals
      • Windows Security Internals
        • Kernel
          • Security Reference Monitor (SRM)
          • Object Manager
            • System Calls
            • NTSTATUS Codes
            • Object Handles
            • Query and Set Information System Calls
          • The I/O Manager & The Process and Thread Manager
          • The Memory Manager
          • The Configuration Manager
  • 💼GRC (CISSP Notes)
    • Security Assessment and Testing
    • Security Governance Principles
    • Security Policies Standards and Procedures
    • Preventing and Responding to Incidents
    • Organizational Roles and Responsibilities
    • Organizational Processes
  • 📦Networking
    • Foundational
      • DHCP
      • DNS Basics
      • HTTP Protocol
      • IPSec
      • IPv6 Fundamentals
    • Wireless Technologies
      • 802.11
      • Bluetooth
      • Wireless Authentication
      • Wireless Encryption
Powered by GitBook
On this page
  • Performing Vulnerability Assessments
  • Software Testing
  • Interface Testing
  • Key Performance and Risk Indicators
  • Related Notes
  1. GRC (CISSP Notes)

Security Assessment and Testing

PreviousThe Configuration ManagerNextSecurity Governance Principles

Last updated 1 year ago

  • Security Testing

    • Verify that controls are working properly

      • Includes

        • Automated scans

        • Tool-assisted penetration tests

        • Manual attempts to undermine security

      • Factors to consider

        • Availability of security testing resources

        • Criticality of systems and applications protected by the security controls

        • Sensitivity of information

        • Likelihood of technical failure

        • Likelihood of misconfiguration

        • Risk of coming under attack

        • Rate of change of the control configuration

        • Difficulty and time required to perform a control test

        • Impact of the test on normal business operations

  • Security Assessments

    • Comprehensive reviews of the security of a system, application or other environments

    • Performs a risk assessment that identifies vulnerabilities in the environment that may allow a compromise and makes recommendations for remediation

    • Reviews of the threat environment, current and future risks and the value of the targeted environment

    • Produces an assessment report addressed

    • Conducted by an internal team or can be outsourced to a third party assessment team

  • Security Audits

    • Have to performed by independent auditors

    • Meant for internal use only and are designed to evaluate controls and find improvements

    • Meant to show how effective are controls to a third party

    • Three main types

      • Internal

      • External

      • Third-party

  • Internal Audits

    • Performed by an organization's internal audit staff and meant for internal audiences

  • External Audits

    • Performed by an outside auditing form

    • Auditing firms

      • Ernst & Young

      • Deloitte & Touche

      • PricewaterhouseCoopers

      • KPMG

  • Third-Party Audits

    • Conducted by, or on behalf of another organization

  • Auditing Standards

    • Standards provide the description of control objectives that should be met

    • Examples

      • COBIT - describes the common requirements that organizations should have in place surrounding their information systems

      • ISO 27001 - standard approach for setting up an information security management system

      • ISO 27002 - goes into specifics of information security controls

Performing Vulnerability Assessments

  • Describing Vulnerabilities

    • NIST provides Security Content Automation Protocol (SCAP)

    • CVE - provides a naming system for describing security vulnerabilities

    • CVSS - provides a standardized scoring system for describing the severity of security vulnerabilities

    • CCE - provides a naming system for system configuration issues

    • CPE - provides a naming system for operating systems, applications and devices

    • XCCDF - provides a language for specifying security checklists

    • OVAL - provides a language for describing security testing procedures

  • Vulnerability Management Workflow

    • Steps

      • Detection - initial identification of a vulnerability

      • Validation - admins confirm the vulnerability to determine that it is not a false positive report

      • Remediation - validated vulnerabilities then should be remediated

Software Testing

  • Code Review

    • The foundation of software assessment programs

    • Steps

      1. Planning

      2. Overview

      3. Preparation

      4. Inspection

      5. Rework

      6. Follow-up

  • Static Testing

    • Evaluates the security of software without running it by analyzing either the source code or the compiled application

  • Dynamic Testing

    • Evaluates the security of software in a runtime environment

    • Often the only option for organizations deploying applications written by someone else

  • Fuzz Testing

    • Specialized dynamic testing technique that provides many different types of input to software to stress its limits and find new flaws

    • Types

      • Mutation - takes previous input values from actual operation of the software and manipulates it to create fuzzed input

      • Generational - Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

Interface Testing

  • An important part of the development of complex software systems

  • Tests the performance of modules against the interface specifications to make sure they will work properly

  • Types

    • APIs - A standardized way for code modules to interact and may be exposed to the outside world through web services

    • User Interfaces (UIs) - Should include reviews of all user interfaces to verify that they function properly

    • Physical Interfaces

Key Performance and Risk Indicators

  • Number of open vulnerabilities

  • Time to resolve vulnerabilities

  • Vulnerability / defect recurrence

  • Number of compromised accounts

  • Number of software flaws detected in preproduction scanning

  • Repeat audit findings

  • User attempts to visit known malicious sites

Related Notes

  • Vulnerability Scanning

💼
NIST SP 800-53A