Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe.
-
Upload
charity-stone -
Category
Documents
-
view
218 -
download
2
Transcript of Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe.
Security Testing
● Availability Testing- Luke● Authentication Testing- Jeff● Confidentiality Testing- Kevin● Penetration Testing- Jake● Integrity Testing- Ryan
Availability
-Make sure system is available for authorized users when they want to use the system.- Exception of planned minimized
maintenance time.
MSDN Testing for Availability
-“Running an application for planned period of time, collecting failure events and repair times, compare availability percentage to original service level agreement”-MSDN
- “Primarily concerned with measuring and minimizing actual repair time.
- (MTBF / (MTBF + MTTR)) X 100(Mean Time Between Failures, Mean Time To
Repair)
Backup for Failure
Backup site on separate server.Test for recovery and appropriate changeover when some system fails.MSDN
Strategies
Should be made an integral part of testing process.Included before code is written (During SDLC).Keep track of tests and bugs in bug tracking software.
Authentication Testing
Authentication Definition: - To establish as genuine. (Dictionary.com)- Also called Access Control
Sources: -“Testing for authentication - OWASP” @ www.owasp.org/index.php/Testing_for_authentication“Security Testing” @ https://en.wikipedia.org/wiki/Security_testing
Authentication Testing
Test For:1. Default Credentials2. Weak Lock-out3. “Remember Password” Vulnerabilities4. Authentication Bypasses5. Weak Security Questions6. Weak Password Reset Functionality7. Alternate Channel Weaknesses
Authentication Testing
Test for Default Credentials:● Force password change on first usage● Check code for hard coded passwords used
during unit/integration testingTest for Weak Lock-outs● 3-5 tries maximum● Lock-out should last a few minutes if not
permanent
Authentication Testing
Test for “Remember Password” Vulnerabilities● Browsers cache passwords● Don’t store password in a cookieTest for Bypass of Authentication● Call for a web page with the application to skip
log on● Unsecure unit execution allows access to secure
unit● User “logs out” --does “Back” button allow
access?
Authentication Testing
Test for Weak Security Questions● Challenge questions can lead to easy answers--● Don’t let users create their own questionsTest for Weak Password Reset Functionality● Is password sent via email?Test Authentication via Alternate Channels● All platforms must provide equal strength
Confidentiality Testing
● Ensure sensitive data can be accessed by those authorized and only by those authorized
● Sensitive data - any data that must be protected in memory, over the network, or in persistent stores
Encryption
● Used to protect sensitive data in a message
● Unencrypted data (plaintext) is converted to encrypted data (ciphertext) and then decrypted to plaintext when needed.
● Data is encrypted with an algorithm and a private cryptographic key.
● Must provide seeds for “random” values that must be cryptographically strong
Encryption
● Encryption depends on random private keys
● By nature, computers are not random○ Pseudorandom number generator
(PRNG)● Detect weak PRNG by inspection
○ What physical events are gathered?○ Why are these “random”?○ How are they mixed?
Access Control Lists
● List of permissions attached to an object
● Restrictions depend on impact factors○ How much data could be
disclosed?○ How sensitive is this
data?
Access Restrictions
Access to high security information may involve training on the best practices for keeping data secure.● Passwords
○ Sony - passwords.xlsx● Phishing
○ Wall Street - FIN4
Penetration Testing
● An attack on a computer system with the intention of finding and exploiting security weaknesses.
● Unlike a simple security assessment or “vulnerability scan,” a penetration test tries to prove (or disprove) real-world attack vectors against a system.
Penetration Testing Methods
● May involve automated tools and processes
● But the focus is on the individual or team of testers.o Even highly automated, well-resourced, and
advanced networks employing sophisticated counter-measure technologies are often vulnerable to the unique nature of the human mind.
Reasons for Penetration Testing
● Determine the feasibility of a set of attack vectors.
● Identify high-risk vulnerabilities that result from a combination of multiple low-risk vulnerabilities.
● Identify vulnerabilities that cannot be detected by automated software.
● Assessing the magnitude of potential attack impacts.o How much data can be compromised?
● Testing the ability of network defenders to detect and respond to attacks.
Strategies for Penetration Testing
● Hire the right teamo The last thing you want after a penetration
test is to have no actionable results● Blackbox vs. Whitebox
o Letting the attackers see the code might help them discover weaknesses, but it might also limit their ability to think “outside the box.”
● Schedule Properlyo Make sure that the system is free to be
unavailable
Integrity Testing
● Is to ensure any information received by the system is not altered by unauthorized people during transit.
Sources: “Integrity” @
http://searchdatacenter.techtarget.com/definition/integrity“Confidentiality, Integrity, & Availability (CIA)” @
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
Possible Sources for a loss in Integrity
● Physical environment of network terminals and servers.
● Access to data.● Authentication practices. ● Environmental hazards from heat, dust,
and electrical surges.
Practices to Protect Data Integrity
● Serves can only be accessed by network administrators.
● Cover and lock cables and connectors to protect against tampering.
● Using version control to prevent accidental changes and deletions by authorized users.
Other Practices
● Using checksums to verify integrity.● Backups must be used in order restore
affected data.● Non-Human causes: Ways of detecting
power surges, electromagnetic pulse (EMP) and server crashes.