Module 11: Security Testing And Assessment

Lesson 1: Planning A Security Assessment

Security assessment is a test or assessment that verifies security
Assessment planning is to plan out each part of the assessment
o Should include purpose and scope, personnel, test criteria, processes/procedures/steps, dependencies and
resources, and any reference material
o Assessment plan documents the purpose, scope, and steps of the assessment
 Purpose and scope: What is being tested and why
 Personnel: Who is needed for the assessment
 Test Dates: When will the assessment be conducted
 Test Criteria: What will be tested and what constitutes success and failure
 Dependencies: What is needed to ensure a successful assessment
 Process and procedures: Processes, procedures, and steps are necessary
Security Audit: formal compliance verification
Security Control Assessment: controls evaluation
Security Acceptance Test: formal acceptance test
Misuse and Abuse Test: use and abuse simulation
Inspection Test: visual verification
Interface Test: test system interfaces

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 11: Security Testing And Assessment

Lesson 2: Preparing For A Security Assessment

Plan out each step of the assessment
Ensure everything is ready for the security assessment
Identify and prepare what needs to be tested
Ensure all required personnel are available to support the assessment
Update all software, tools, or test procedures
o Create, test, and verify all test processes and procedures
Collect and gather all technical and administrative information
o Gather anything that will be used or referenced for the security assessment
Verify that all system resources and components are ready
o Reserve system components that will be assessed
Document everything in as much detail as possible in the plan

Lesson 3: Software Security Assessments

Software applications are a key part of overall system security
Software must be tested and assessed to ensure proper security is applied
o White box tests verify the software and application codes construction
o Black box tests analyze software from user’s point of view
o Gray box tests are a combination of white and black box
Test coverage analysis is used to evaluate the degree of testing provided
Test and assessment focus:
o Unit testing focuses on a specific application, script or software component

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 11: Security Testing And Assessment

o Integration testing ensures differing technologies will work together

o Vulnerability assessments look for known vulnerabilities in software
o Acceptance testing ensures software meets functionality requirements (reasonableness check)
o Regression testing checks that other parts of the system are not affected by introducing new software
Code reviews are “peer reviews” performed by developers who did not write the original code
Fagan inspection process is planning, overview, preparation, inspection, rework, and follow-up
Static/manual tests analyze software code without running or executing it, using automated tools
Dynamic testing evaluates security in a runtime environment using scanning tools and synthetic transactions
Synthetic transactions are simulated pre-defined commands designed to replicate a user or system action
Fuzz testing (fuzzing) is a dynamic test in which testers push the software to its limits by providing invalid inputs
o Mutation (dumb) fuzzing manipulates a set of valid inputs
o Generational (intelligent) fuzzing creates invalid inputs
Misuse testing test vulnerabilities by simulating how a user might use the software
Interface testing ensures software interactions comply with security requirements
OWASP is an open community of security professionals focused on improving web application security
The OWASP test framework consists of 5 different phases
o Phase 1: Before Development Begins
o Phase 2: During Definition and Design
o Phase 3: During Development
o Phase 4: During Deployment
o Phase 5: Maintenance and Operations

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 11: Security Testing And Assessment

Lesson 4: Network Security Assessment

Network security is the secure configuration of networking components
o Networks are tested and verified for security compliance to organizational security policy
o Network security assessments ensure security risks are at an acceptable level
 Manual assessments are manual inspection, review, and analysis of security
 Automated assessment use scanning and scripting tools that automate the assessment process
 Interviews involve personally meeting with experts to understand system configuration
Methodically analyze the path a user, system component, or an application takes on the network
Determine all of the components, configurations, and methods that will be used to perform the assessment
Update the security assessment plan with all of the components that will be assessed
Confirm organization approved banners and notifications are configured and a user is required to accept prior to
granting access
Verify banners and notifications are configured properly using manual procedures or automated scanning tools
Confirm all users have a unique/individual account and are assigned the appropriate level of privileges (roles or
individual)
Manually inspect locked, expired, or disabled accounts
Password Management Testing:
o Verify all system accounts require a strong/complex password
o Use password cracking software to test passwords for network components
o Use automated tools and/or manual procedures to verify auditing is enabled on each network component
Logging and Audit Testing:
o Perform simulated actions to verify creations, deletions, or change actions are audited

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 11: Security Testing And Assessment

o Perform simulated actions to verify audit successful and failed network connections are audited
Use automated vulnerability scanners to detect unauthorized communications or PPS
Network Interface Testing:
o Use protocol analyzers and/or network scanning tools to detect PPS on network interfaces
o Perform a misuse (abuse) testing to verify network components respond correctly
o Simulate attacks to test firewalls, IDS/IPS, and other defense component responses
Network vulnerability scans are typically run from the perspective of an external attacker
o Authenticated vulnerability scans give the scanner access to configuration information
o Vulnerability scans can return false positives (flagged, but not valid) and false negatives (missed vulnerabilities)

Lesson 5: Assessing System Security Architecture

Security architecture defines how security is built-in to the system architecture
o Must be reviewed and updated to protect against modern threats, vulnerabilities, and risks
o Newly integrated technologies, discovered vulnerabilities, or removal of technologies can impact the security
architecture
Updates to security architecture must be done when critical security risks are discovered
Understanding how software and applications function within the system architecture is vital to a secure architecture
Security architecture must account for every network interface through the information system
Network Communications:
o Account for all communications to and from untrusted areas (e.g. internet)
o Account for communications traversing different networks, zones, etc. throughout the information system
Cryptographic systems can be used for both communications and secure storage, and must be updated frequently
System integration involves 2 or more technologies and security risks for both technologies must accounted for

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 11: Security Testing And Assessment

DevOps is the process of combining system development and operations into a continuous process
o Security must be integrated into DevOps as part of system and security architecture
IoT are endpoint devices that contain software that connects to the internet
o IoT devices must be protected as an endpoint and isolated from core infrastructure
BYOD is a policy that defines how personnel are permitted to use their personally owned computing devices
o Personnel with insecure devices can introduce malware, create backdoor access, and more with poorly
configured devices
o Devices must be isolated to a specific network or guest zone of the system
ICS systems are embedded and physical components that are used for industrial industries
o ICS are used in domestic infrastructure and can be found in production factories and distribution operations
o ICS contain embedded systems that comprise a simple form of computing devices
PLCs are often found in assembly factories, power plants, and in distribution operations, and part of a DCS
DCS is the combined ICS components within the same facility, factory, or plant
o DCS that are distributed throughout multiple plants or factories are called SCADA
SCADA is designed to operate large scale infrastructure or production operations
o Comprised of RTU (endpoint), DAS (data server), and HMI (user interface)
Security Architecture Best Practices:
o Perform regular risk assessments to identify any emerging security risks against security architecture
o Employ least privilege and disable any unnecessary accounts, services, etc. to reduce the attack surface
o Patch all software with vendor or security related updates
o Segment and encrypt system communications
o Log and audit changes to critical system services, permissions, accounts, and communications

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 11: Security Testing And Assessment

Lesson 6: Vulnerability Assessments And PenTests

Vulnerability assessments involves:
o Identifying
o Categorizing
o Addressing known vulnerabilities
Create and/or update an accurate system inventory
Discover and identify potential security vulnerabilities
Categorize any vulnerability findings
Perform a cost/benefit analysis for vulnerability findings
Automated scan tools refer to a database of known vulnerabilities
Categorize vulnerabilities that are most important to your organization
Compare the cost/benefit of implementing a mitigation or countermeasure
Penetration tests simulate an information system attack
o White Box (known details)
o Black Box (no details)
o Gray Box (some details)
PenTests are based on ROE that address the
o Planning
o Information gathering
o Vulnerability discovery
o Attack and exploit
o Reporting

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.
 Module 11: Security Testing And Assessment

Lesson 7: Creating A Security Assessment Report

SAR defines the approach, process, and results of a security assessment
SAR are needed for compliance, liability, and confidence purposes
Types of SAR:
o After Action Report (AAR)
o Vulnerability Assessment Report (VAR)
o Risk Assessment Report (RAR)
o Pen Test Report (PTR)
Goal of a SAR is to present all of assessment findings and create a PoA&M
o PoA&M defines what needs to be done and when it needs to be completed
o PoA&M can be in internal or a compliance required artifact
SAR must clearly define the goals, objectives, and purpose of the security assessment
Make sure to include the scope, personnel, assets, test sites and locations
Also include dates/times, rules of engagement (ROE), and test criteria
Reference applicable policies, regulations, etc. for compliance purposes
Reference any guides, templates, etc. used to create the SAR
Update any existing security artifacts, security assessment plan/procedures, and external service/3rd party
agreements based on assessment findings

© Copyright 2018 Cyberactive Security, LLC. All Rights Reserved. CISSP is a registered trademark of (ISC)2, Inc.