Domain 6: Security Assessment and Testing

A forensic disk controller or hardware write-block device is a specialized type of computer
hard disk controller made for the purpose of gaining read-only access to computer hard drives
without the risk of damaging the drive's contents. The device is named forensic because its
most common application is for use in investigations where a computer hard drive may contain
evidence. Such a controller historically has been made in the form of a dongle that fits
between a computer and an IDE or SCSI hard drive, but with the advent of USB and SATA,
forensic disk controllers supporting these newer technologies have become widespread.

TCP and UDP ports 137–139 are used for NetBIOS services, whereas 445 is used for
Active Directory. TCP 1433 is the default port for Microsoft SQL.

Mutation testing modifies a program in small ways and then tests that mutant to
determine if it behaves as it should or if it fails. This technique is used to design and test
software tests through mutation. Static code analysis and regression testing are both
means of testing code, whereas code auditing is an analysis of source code rather than a
means of designing and testing software tests

TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability
scanning web servers and applications and is the best choice listed for a web server.
Metasploit includes some scanning functionality but is not a purpose-built tool for
vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans,
whereas sqlmap is a SQL injection testing tool

Fuzz testing (fuzzing) is a quality assurance technique used to discover coding errors and
security loopholes in software, operating systems or networks. It involves inputting massive
amounts of random data, called fuzz, to the test subject in an attempt to make it crash.
If a vulnerability is found, a software tool called a fuzzer can be used to identify potential
causes. Fuzzers are tools that are designed to provide invalid or unexpected input to
applications, testing for vulnerabilities like format string vulnerabilities, buffer overflow
issues, and other problems

Syslog is a widely used protocol for event and message logging

OpenVAS is an open-source vulnerability scanning tool that will provide with a
report of the vulnerabilities that it can identify from a remote, network-based scan.

Nmap is an open-source port scanner. Both the Microsoft Baseline Security Analyzer (MBSA)
and Nessus are closed-source tools, although Nessus was originally open source.

Jim has agreed to a black box penetration test, which provides no information about
the organization, its systems, or its defenses. A crystal or white box penetration test
provides all of the information an attacker needs, whereas a gray box penetration test
provides some, but not all, information

Service Organization Controls (SOC) reports help companies establish trust and confidence
in their service delivery processes and controls. The reports are administered by
an independent third party that must be a certified public accountant (CPA)

WPA2 enterprise uses RADIUS authentication for users rather than a preshared key (PSK).
This means a password attack is more likely to fail as password attempts for a given user
may result in account lockout. WPA2 encryption will not stop a password attack, and
WPA2’s preshared key mode is specifically targeted by password attacks that attempt to
find the key. Not only is WEP encryption outdated, but it can also frequently be cracked
quickly by tools like aircrack-ng.

Generational fuzzing relies on models for application input and conducts fuzzing
attacks based on that information. Mutation-based fuzzers are sometimes called “dumb”
fuzzers because they simply mutate or modify existing data samples to create new test
samples

Windows systems generate logs in the Windows native logging format. To send syslog
events, Windows systems require a helper application or tool. Enterprise wireless access
points, firewalls, and Linux systems all typically support syslog.

Group Policy enforced by Active Directory can ensure consistent logging settings and
can provide regular enforcement of policy on systems.

Joseph may be surprised to discover FTP (TCP port 21) and Telnet (TCP port 23) open
on his network since both services are unencrypted and have been largely replaced by
SSH, and SCP or SFTP. SSH uses port 22, SMTP uses port 25, and POP3 uses port 110.

Synthetic monitoring (active monitoring or proactive monitoring) uses emulated or recorded
transactions to monitor for performance changes in response time, functionality, or other
performance monitors. It is website monitoring that is done using a Web browser emulation
or scripted recordings of Web transactions. Behavioral scripts (or paths) are created to
simulate an action or path that a customer or end-user would take on a site.

Passive monitoring is a technique used to capture traffic from a network by copying traffic,
often from a span port or mirror port or via a network tap. It can be used in application
performance management for performance trending and predictive analysis.

Port Mirroring, also known as SPAN (Switched Port Analyzer), is a method of monitoring network
traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on
one port (or an entire VLAN) to another port, where the packet can be analyzed.

A network TAP is a hardware tool that allows you to access and monitor your network. TAPs transmit
both the send and receive data streams simultaneously on separate dedicated channels, ensuring all
data arrives at the monitoring device in real time.

SPANs can add overhead on a network device, and that SPAN port will often drop mirrored packets
if the device gets too busy. Therefore, TAPs are a better option.

Fingerprints in the digital world are similar to what human fingerprints are in the real world.
Simply put, a fingerprint is a group of information that can be used to detect software, network
protocols, operating systems or hardware devices. Fingerprinting (also known as footprinting) is
the art of using that information to correlate data sets in order to identify network services,
operating system number and version, software applications, databases, configurations and more.
Once the penetration tester has enough information, this fingerprinting data can be used as part
of an exploit strategy against the target.

Real user monitoring (RUM) is a passive monitoring technique that records user
interaction with an application or system to ensure performance and proper application
behavior. RUM is often used as part of a predeployment process using the actual user
interface.

Nmap is a port scanner
zzuf is specifically designed to work with tools like web browsers, image viewers, and similar
software by modifying network and file input to application. Includes fuzzing, but name is
reverse of fuzz - zzuf
Nikto, Burp Suite, and Wapiti are all web server scanner
Nessus is a network vulnerability scanner
Sqlmap is a dedicated database vulnerability scanner
All support OS fingerprinting.

Metasploit is a pentest tool and is an exploitation package that is designed to assist penetration
testers. A tester using Metasploit can exploit known vulnerabilities for which an exploit has been
created or can create their own exploits using the tool. While Metasploit provides built-in
access to some vulnerability scanning functionality, a tester using Metasploit should
primarily be expected to perform actual tests of exploitable vulnerabilities

Passive scanning can help identify rogue devices by capturing MAC address vendor
IDs that do not match deployed devices, by verifying that systems match inventories of
organizationally owned hardware by hardware address, and by monitoring for rogue
SSIDs or connections.

Passive monitoring only works after issues have occurred because it requires actual
traffic. Synthetic monitoring uses simulated or recorded traffic and thus can be used to
proactively identify problems. Both synthetic and passive monitoring can be used to detect
functionality issues.

Scripted attacks are part of active scanning rather than passive scanning, and active
scanning is useful for testing IDS or IPS systems, whereas passive scanning will not be
detected by detection systems. Finally, a shorter dwell time can actually miss troublesome
traffic, so balancing dwell time versus coverage is necessary for passive wireless
scanning efforts.

Regression testing, which is a type of functional or unit testing, tests to ensure that
changes have not introduced new issues. Nonregression testing checks to see whether a
change has had the effect it was supposed to, smoke testing focuses on simple problems
with impact on critical functionality.

The Common Vulnerabilities and Exposures (CVE) database provides a consistent
reference for identifying security vulnerabilities. The Open Vulnerability and Assessment
Language (OVAL) is used to describe the security condition of a system. The Extensible
Configuration Checklist Description Format (XCCDF) is used to create security checklists
in a standardized fashion. The Script Check Engine (SCE) is designed to make scripts
interoperable with security policy definitions

Fagan Inspection or Fagan testing is a detailed code review that steps through planning,
overview, preparation, inspection, rework, and follow-up phases

The Common Vulnerability Scoring System (CVSS) includes metrics and calculation
tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be
remediated, as well as a means to score vulnerabilities against users’ unique requirements.
NVD is the National Vulnerability Database, CSV is short for comma-separated values,
and VSS (Visual SourceSafe) is an irrelevant term related to software development rather
than vulnerability management.

The Common Platform Enumeration (CPE) component of SCAP provides a consistent
way to refer to operating systems and other system components. The Common
Vulnerabilities and Exposures (CVE) component provides a consistent way to refer to
security vulnerabilities. The Common Weaknesses Enumeration (CWE) component
helps describe the root causes of software flaws. The Open Vulnerability and Assessment
Language (OVAL) standardizes steps of the vulnerability assessment process.

Authenticated scans use a read-only account to access configuration files, allowing
more accurate testing of vulnerabilities

Microsoft’s STRIDE threat assessment model places threats into one of six categories:
■■ Spoofing—threats that involve user credentials and authentication, or falsifying legitimate
communications
■■ Tampering—threats that involve the malicious modification of data
■■ Repudiation—threats that cause actions to occur that cannot be denied by a user
■■ Information disclosure—threats that involve exposure of data to unauthorized individuals
■■ Denial of service—threats that deny service to legitimate users
■■ Elevation of privilege—threats that provide higher privileges to unauthorized users

Statement coverage tests verify that every line of code was executed during the
test. Branch coverage verifies that every if statement was executed under all if and else
conditions. Condition coverage verifies that every logical test in the code was executed
under all sets of inputs. Function coverage verifies that every function in the code was
called and returns results.