Types of Security Testing

• Vulnerability Scanning
• Security Scanning
• Penetration Testing
• Risk Assessment
• Security Auditing
• Ethical Hacking
• Posture Assessment & Security Testing

Vulnerability Scanning is using automated software to scan one or more systems against known vulnerability signatures. Examples of this software are Nessus, Sara, and ISS.

Security Scanning is a Vulnerability Scan plus Manual verification. The Security Analyst will then identify network weaknesses and perform a customized professional analysis.

Penetration Testing takes a snapshot of the security on one machine, the “trophy”. The Tester will attempt to gain access to the trophy and prove his access, usually, by saving a file on the machine. It is a controlled and coordinated test with the client to ensure that no laws are broken during the test.

Risk Assessment involves a security analysis of interviews compiled with research of business, legal, and industry justifications.

Security Auditing involves hands on internal inspection of Operating Systems and Applications, often via line-by-line inspection of the code.

Ethical Hacking is basically a number of Penetration Tests on a number of systems on a network segment.

General steps to take for security testing of a software application:

• Step 1. Review the declared functionality provided by the software and assess security vulnerabilities associated with those software features. For this step, you simply review the software documentation and identify inherent risks in the technology that is used. For example, if the software in question is a simple Telnet client, you know that an inherent vulnerability of the Telnet protocol is that it includes no encryption of the data traffic.

o Step 2. Look for publicly known vulnerabilities associated with the software and assess the impact of each vulnerability for the environment the software operates in.

• Step 3. Identify services that are activated and other code that will be started automatically without user intervention.
• Step 4. Identify the security policy settings modified by the application.
• Step 5. Identify patches uninstalled by the application.
• Step 6. Check for hidden data (such as hidden NTFS streams).
• Step 7. Analyze the processes activated by the application when it is started.
• Step 8. Record file access to ensure only legitimate file system objects are accessed by the application.
• Step 9. Review other changes (like Registry modifications) made by the application. For Windows, one good tool to do this with is SysDiff.

Security Testing of a System

• Step 1. Identify what is contained in the system. In order to assess the system's security posture, you must have a very good understanding of what makes up the system - software installed, services running, version numbers, listing of servers and workstations, etc. If possible, you should collect the data as part of the ST&E, not by making assumptions or asking for data from individuals outside the testing team. You'll often find that even the system administrators are not fully aware of every service running on their systems and those good looking network diagrams created six months ago are no longer accurate.
• Step 2. Evaluate the system's non-technical security posture. For example, are there contingency and incident response plans in place? Are the system administrators trained? Is there sufficient physical security in place? Does effective configuration management exists? These non-technical (operational & physical security as well as management policies) oriented checks are crucial in the evaluation of a system's security posture but are not listed here - primarily because checklists covering these items are available in abundance.
• Step 3. Review system architecture for inherent vulnerabilities. This includes a review of the communication/network topology and technology in use. The key requirement for accomplishing this step is that you (the tester) must understand the technology in use.
• Step 4. Scan the system for compliance with the system's security policy. For Windows systems, the scanning should be accomplished with SecEdit (or its GUI equivalent - the MMC Security Configuration and Analysis tool).
• Step 5. Scan the system for missing patches. For Windows systems, the scanning should be accomplished with MBSACli.
• Step 6. Optionally, scan the system with one of the commercial or open source vulnerability scanners. Note, however, that this tool will likely be less comprehensive against a particular operating system than the vendor's own tool.
• Step 7. Test each software component. This includes application software, but it also includes other software components, such as the operating system software on workstations, servers, printers, switches/routers and specialized network devices.

# posted by halovivek @ 7:44 AM