Security TestingKevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe

Security Testing

● Availability Testing- Luke● Authentication Testing- Jeff● Confidentiality Testing- Kevin● Penetration Testing- Jake● Integrity Testing- Ryan

Availability

-Make sure system is available for authorized users when they want to use the system.- Exception of planned minimized

maintenance time.

MSDN Testing for Availability

-“Running an application for planned period of time, collecting failure events and repair times, compare availability percentage to original service level agreement”-MSDN

- “Primarily concerned with measuring and minimizing actual repair time.

- (MTBF / (MTBF + MTTR)) X 100(Mean Time Between Failures, Mean Time To

Repair)

Backup for Failure

Backup site on separate server.Test for recovery and appropriate changeover when some system fails.MSDN

Database Mirroring

Primary Database

Secondary Database

Website

Strategies

Should be made an integral part of testing process.Included before code is written (During SDLC).Keep track of tests and bugs in bug tracking software.

Authentication Testing

Authentication Definition: - To establish as genuine. (Dictionary.com)- Also called Access Control

Sources: -“Testing for authentication - OWASP” @ www.owasp.org/index.php/Testing_for_authentication“Security Testing” @ https://en.wikipedia.org/wiki/Security_testing

Authentication Testing

Test For:1. Default Credentials2. Weak Lock-out3. “Remember Password” Vulnerabilities4. Authentication Bypasses5. Weak Security Questions6. Weak Password Reset Functionality7. Alternate Channel Weaknesses

Authentication Testing

Test for Default Credentials:● Force password change on first usage● Check code for hard coded passwords used

during unit/integration testingTest for Weak Lock-outs● 3-5 tries maximum● Lock-out should last a few minutes if not

permanent

Authentication Testing

Test for “Remember Password” Vulnerabilities● Browsers cache passwords● Don’t store password in a cookieTest for Bypass of Authentication● Call for a web page with the application to skip

log on● Unsecure unit execution allows access to secure

unit● User “logs out” --does “Back” button allow

access?

Authentication Testing

Test for Weak Security Questions● Challenge questions can lead to easy answers--● Don’t let users create their own questionsTest for Weak Password Reset Functionality● Is password sent via email?Test Authentication via Alternate Channels● All platforms must provide equal strength

Confidentiality Testing

● Ensure sensitive data can be accessed by those authorized and only by those authorized

● Sensitive data - any data that must be protected in memory, over the network, or in persistent stores

Enforcing Confidentiality

● Encryption● Access Control Lists (ACL)

Encryption

● Used to protect sensitive data in a message

● Unencrypted data (plaintext) is converted to encrypted data (ciphertext) and then decrypted to plaintext when needed.

● Data is encrypted with an algorithm and a private cryptographic key.

● Must provide seeds for “random” values that must be cryptographically strong

Encryption

● Encryption depends on random private keys

● By nature, computers are not random○ Pseudorandom number generator

(PRNG)● Detect weak PRNG by inspection

○ What physical events are gathered?○ Why are these “random”?○ How are they mixed?

Access Control Lists

● List of permissions attached to an object

● Restrictions depend on impact factors○ How much data could be

disclosed?○ How sensitive is this

data?

Access Restrictions

Access to high security information may involve training on the best practices for keeping data secure.● Passwords

○ Sony - passwords.xlsx● Phishing

○ Wall Street - FIN4

Penetration Testing

● An attack on a computer system with the intention of finding and exploiting security weaknesses.

● Unlike a simple security assessment or “vulnerability scan,” a penetration test tries to prove (or disprove) real-world attack vectors against a system.

Penetration Testing Methods

● May involve automated tools and processes

● But the focus is on the individual or team of testers.o Even highly automated, well-resourced, and

advanced networks employing sophisticated counter-measure technologies are often vulnerable to the unique nature of the human mind.

Reasons for Penetration Testing

● Determine the feasibility of a set of attack vectors.

● Identify high-risk vulnerabilities that result from a combination of multiple low-risk vulnerabilities.

● Identify vulnerabilities that cannot be detected by automated software.

● Assessing the magnitude of potential attack impacts.o How much data can be compromised?

● Testing the ability of network defenders to detect and respond to attacks.

Strategies for Penetration Testing

● Hire the right teamo The last thing you want after a penetration

test is to have no actionable results● Blackbox vs. Whitebox

o Letting the attackers see the code might help them discover weaknesses, but it might also limit their ability to think “outside the box.”

● Schedule Properlyo Make sure that the system is free to be

unavailable

Integrity Testing

● Is to ensure any information received by the system is not altered by unauthorized people during transit.

Sources: “Integrity” @

http://searchdatacenter.techtarget.com/definition/integrity“Confidentiality, Integrity, & Availability (CIA)” @

http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

Possible Sources for a loss in Integrity

● Physical environment of network terminals and servers.

● Access to data.● Authentication practices. ● Environmental hazards from heat, dust,

and electrical surges.

Practices to Protect Data Integrity

● Serves can only be accessed by network administrators.

● Cover and lock cables and connectors to protect against tampering.

● Using version control to prevent accidental changes and deletions by authorized users.

Other Practices

● Using checksums to verify integrity.● Backups must be used in order restore

affected data.● Non-Human causes: Ways of detecting

power surges, electromagnetic pulse (EMP) and server crashes.

Questions?

● Availability Testing- Luke● Authentication Testing- Jeff● Confidentiality Testing- Kevin● Penetration Testing- Jake● Integrity Testing- Ryan