Please enable JavaScript.
Coggle requires JavaScript to display documents.
Domain 6: Security Assessment & Testing - Coggle Diagram
Domain 6: Security Assessment & Testing
Security Assessment Strategies
Security Testing Overview
Comes in many flavours:
Vulnerability assessment
Penetration testing
Code review
Phishing exercises
Password assessment
Goal
: Assess risk due by discovering & understanding flaws that persist in systems & applications.
Technical testing for security flaw
Server-side vs. Client-side attacks
SS is initiated by the attacker against listening service - also called service-side attacks . For a TCP server-side attack, the initial SYN is sent by the attacker
CS attacks works in reverse
Victim initiates traffic
Often by clicking on link in email or on the web
Security Assessment
For practical & regulatory purposes, org must assess their security posture
to gain Holistic view of sec requires:
Technical sec testing
Sec process assessment
Sec audits
analyzes the entire nw fro inside & tries to find the weakness
offers complete list of risks against critical assets - if you want to come up a with a roadmap & better understand your sec risks.
Is a complete view of a companys NW sec
At the conclusion of SA: you get the prioritized list of what the crit risks to your assets are, what the likelihood of the risks occurring is , what the cost are & what the costs are to fix the risks are. Based on this - management can take proper decision obut what level of risk they are willing to accept. SA helps manage risk in more holistic view.
Security testing:
1.involves overtly looking for potential sec weakness
most basic & common type of sec testing will be the VA [ vulnerability scanning tools to review the risk associated with missing patches
3.Other approaches include: NW pentest, WebApp pentest & source code analysis
Sec Process review
Finding vulnerable sys or a flaw in custom application is certainly beneficial.Understanding the process that allowed for the vul to exist in the first place in more important
Reviewing key sec processes can extremely helpful
This could be a separate review or could be part of larger SA. Most likely an audit
Auditing
1.Auditing is a function that will verify sec of systems & resources & whether or not a system has been compromised or misused.
Auditing also tests the effectiveness of the operation controls implemented throughout the network, and it can help determine where more controls might be needed.
This is the imp step in accountability process. If you dont audit your systems, then it is extremely difficult to make users responsible for their actions.
Attack surface, SS vs, CS
CS attack surface is large & more difficult to control:
Browser(s),Browser plugins, email clients, chat clients, flash, java, PDF reader, MSOffice,,iTubes
Any listening service is potentially a target. Server-side [aka service] side attacks is launched against listening nw services. An open port is like a door /window of a house & must be secured. The attack surface effectively limited by :
Disable unnecessary services
Host hardening
FWs [network/host]
Server-Side exploitation process
Port Scanning
Determine version of OS & services
Network enumeration
Determine vulnerable service versions
Perform Reconnaissance
Exploit vulnerable services
Reconnaissance
Includes public records research
Resources include: google, whois,DNS,FB,Twitter,etc
Offline research performed by an attacker before launching an attack
Google is the prime recon tool
During Reconnaissance, the attacker gathers info about the target org, including NW add,names phone numbers,physical add etc
This data is then used later in the exploitation process
Host Discovery [ aka Network Enumeration]
Live systems may be discovered by:
ARP Scans (for system on the same LANS)
Can be performed in Active & Passive manner
ICMP Sweeps (echo request, network request, timestamp request)
Process of HD attempts to determine live systems on NW
TCP or UDP traffic sent to common ports
IPv6 neighbor discovery
Sniffing packets & reviewing contents
Port Scanners
UDP ports 0-65535 - not a straightforward: If you send a SYNC to a listening port that is not filtered (in either direction ) with a listening service , it may answer or it may not
NMap is a well known port scanner
TCP ports 0-65535 - Scanning is fairly straightforward: if you send a SYNC to a listening port that is not filtered (in either direction), you will receive a SYNC/ACK
It depends on data you send: Send a UDP DNS request to a listening/unfiltered DNS server, and you will receive a reply. Send random UDP data to the same port & server may not answer. You asked the wrong question.
Once host is discovered, a port scanners all TCP & UDP ports & attempts to determine which are open