Security Testing Tools and Techniques

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Welcome to our next lesson,
00:00
security testing tools and techniques.
00:00
By the end of this lesson,
00:00
we'll have covered testing techniques for
00:00
common security controls that you
00:00
as an auditor will likely have used.
00:00
Bypassing security and compensating controls,
00:00
access control and password administration,
00:00
network penetration testing and what's involved,
00:00
and also threat intelligence.
00:00
Let's begin. There are a couple of
00:00
testing techniques for common security controls that
00:00
you as an auditor may actually have to be involved in.
00:00
One is terminal cards and keys.
00:00
This is basically simply taking
00:00
a set of legitimate access cards,
00:00
so swipe cards for example, or keys,
00:00
and attempting to get access to
00:00
beyond what they had been authorized to gain access to.
00:00
The test here is to see
00:00
if basically your attempts to access
00:00
these areas with the inappropriate cards
00:00
has been picked up by any of the audit logs, for example.
00:00
Terminal identification.
00:00
Basically that's an enumeration of all terminals or
00:00
workstations within an organization
00:00
which forms part of an asset log,
00:00
which can then be used to audit to determine if
00:00
they are there in the appropriate locations.
00:00
Logon IDs and passwords.
00:00
Basically, a test of
00:00
those to determine if the user could guess
00:00
common IDs or passwords to
00:00
just determine the level of
00:00
security or policy and control their.
00:00
Additional controls over production resources.
00:00
In large batch organizations or factories,
00:00
for example, the production resources
00:00
secure just as much as the network.
00:00
Also the logging and reporting
00:00
of computer access violations.
00:00
If some access violation occurs,
00:00
is it recorded, and is it auctioned?
00:00
Is it followed up for those access violations?
00:00
Bypassing security and compensating controls.
00:00
This is a technical error review.
00:00
As an auditor, you will most likely
00:00
work with the system software analysts and
00:00
network manager or security administrator
00:00
to determine ways to bypass security.
00:00
This typically involves bypass label processing.
00:00
Bypass BLP problem,
00:00
bypasses the computer rating of the file label.
00:00
Most access controls basically
00:00
have rules that are based on file names,
00:00
labels, and that can often
00:00
bypass the access control programs.
00:00
System exits.
00:00
In any software feature that permits
00:00
a user to perform
00:00
any complex system maintenance, for example,
00:00
it might be tailored to
00:00
a specific environmental company and they
00:00
often exist outside of the computer system security,
00:00
and thus can be used
00:00
as an area of attack for the system,
00:00
and any special system Logon ID.
00:00
These Logon IDs are often provided by
00:00
vendors and often cases these
00:00
are default and they can be easily
00:00
determined or are publicly available information.
00:00
Access control and password administration.
00:00
This is very much a procedural check for an auditor.
00:00
Are there rules and procedures for adding access?
00:00
In other words, gaining additional access for
00:00
a given user and also
00:00
deprovisioning access when it's no longer needed.
00:00
Are there controls or procedures
00:00
around what is an appropriate disclosure of passwords?
00:00
Are passwords kept at an appropriate complexity?
00:00
What is the password change policy?
00:00
What's the age of a password?
00:00
Is there any validation of access levels?
00:00
Also procedures or it's
00:00
suspension of accounts or workstations for
00:00
violations or any unusual detected behavior.
00:00
Network penetration testing.
00:00
This is a combination of both procedures and techniques.
00:00
What this basically is,
00:00
an auditor will use
00:00
attack techniques of a hacker to test the network,
00:00
or test the system.
00:00
It's basically also known as
00:00
intrusion testing or ethical hacking.
00:00
It identifies real-time risks.
00:00
Risks that are actually present in
00:00
the system at this particular point
00:00
in time that the test is conducted.
00:00
Now, a key thing here is defining the scope.
00:00
This is quite an intrusive activity
00:00
and it's very important to
00:00
identify exactly what is going to be
00:00
tested and what isn't going to be tested,
00:00
and ensure that appropriate permissions
00:00
are obtained for this test.
00:00
Different types of penetration testing.
00:00
There is external testing.
00:00
In this case, penetration tester,
00:00
which is usually not the sizer,
00:00
the person who is doing the audit, but a third party.
00:00
The external testing is
00:00
conducted from outside the organization.
00:00
In other words, can an attacker from outside
00:00
the organization gain access to
00:00
sensitive information or systems within the organization?
00:00
Internal testing looks at
00:00
the security from an internal perspective.
00:00
The sufficient access control around sensitive resources,
00:00
that inappropriate access is not permitted.
00:00
There is blind testing,
00:00
which is also referred to as black-box testing.
00:00
In other words, and this can be external or internal.
00:00
A penetration tester is asked to attack the network
00:00
with no information about the network at all,
00:00
so it really comes down to what can
00:00
determine are the vulnerabilities
00:00
based upon what's publicly
00:00
available or what has been disclosed.
00:00
There's also a double-blind testing,
00:00
which is also referred to as red team testing.
00:00
In this case it's very much like a blind test,
00:00
except that the network administrators
00:00
and the people who are looking out for
00:00
the system are also not informed of this test.
00:00
This will also test procedures
00:00
such as incident response as well.
00:00
There is also targeted testing.
00:00
This could be very much a granular approach,
00:00
so if a change has been made to critical system,
00:00
a penetration test could be conducted on
00:00
the changes to be made to that system itself.
00:00
There are a number of different phases
00:00
of a penetration test.
00:00
You have planning in which
00:00
the actual test itself is determined.
00:00
In often cases, this will involve
00:00
some rules of engagement
00:00
defining between the penetration test
00:00
to the organization,
00:00
as well as the statement of work.
00:00
The scope and planning
00:00
that will then lead on to discovery.
00:00
Then the penetration test will use the information from
00:00
the planning to determine exactly what to attack,
00:00
how to attack and where to attack it.
00:00
Then the actual attack phase will be commenced,
00:00
in which case the attacks will be attempted.
00:00
Finally, there is the important reporting phase,
00:00
in which case the report is generated so
00:00
that the organization can understand
00:00
exactly how well or how bad
00:00
the penetration testing went from
00:00
the perspective of finding security vulnerabilities.
00:00
Now, there's a couple
00:00
of risks involving penetration testing.
00:00
Coverage may be incomplete.
00:00
It may give a bit of a false sense
00:00
of security to a degree,
00:00
if the actual penetration test scope
00:00
wasn't defined appropriately,
00:00
and there is some things that
00:00
have been identified as outer scope.
00:00
Planning and communication failures are certainly key.
00:00
Except for double-blind testing,
00:00
it's important to let everyone involved
00:00
in management of the system
00:00
know that this is taking place.
00:00
They can also be accidental escalation.
00:00
What is actually a legitimate unauthorized attack by
00:00
a penetration test that could be interpreted
00:00
as an attack by a real attacker,
00:00
and then an incident process is initiated.
00:00
Disclosure of sensitive information.
00:00
A penetration test could accidentally determine
00:00
sensitive information that may
00:00
be protected by the company
00:00
through legislation such as
00:00
privacy information, for example.
00:00
There needs to be strong betting and
00:00
background of penetration testers.
00:00
Certainly the penetration tester
00:00
will use the techniques and
00:00
tactics and procedures that
00:00
are exactly the same as a real attacker.
00:00
You need to have a lot of trust in
00:00
the actual penetration test that you had to
00:00
make sure that they are going to
00:00
maintain a legitimate approach to your system.
00:00
There could also be accidental damage
00:00
to a production system
00:00
as well. Threat intelligence.
00:00
This has been around
00:00
for probably the last five or 10 years.
00:00
Basically, it's organized, analyzed,
00:00
and refined information that
00:00
helps an organization understand
00:00
exactly what threat environment they're operating
00:00
in and what the risks and vulnerabilities actually are.
00:00
It really gives situational awareness
00:00
to an organization so that they understand
00:00
the environment and they can
00:00
basically target and customize
00:00
their mitigations to mitigate the most pressing threats.
00:00
Often cases threat intelligence will also include
00:00
technical information about indicators of compromise.
00:00
Network administrators can look
00:00
for malicious software that is related to
00:00
a particular attack that might be present on
00:00
their system and take appropriate action in advance.
00:00
That's our lesson. Basically we've
00:00
covered testing techniques for
00:00
common security controls that you as
00:00
an auditor may be involved in.
00:00
Bypassing security and compensating controls.
00:00
Access control and password administration
00:00
and the important practices
00:00
and procedures surrounding that.
00:00
Network penetration testing.
00:00
Exactly what it is.
00:00
Some of the different types of
00:00
penetration testing and the risks involved,
00:00
and also threat intelligence.
00:00
I hope you enjoyed
00:00
our lesson and I will see you at the next one.
Up Next