[go: up one dir, main page]
Scribd
Upload
10 views18 pages

Lecture 13. Security Assessment and Testing

The document outlines the key components of security assessment and testing, including designing assessment strategies and conducting various types of security control testing such as vulnerability assessments and penetration tests. It emphasizes the importance of regular log reviews, code reviews, and compliance checks to ensure organizational security. Additionally, it describes different testing techniques, including misuse case testing and interface testing, to identify and mitigate vulnerabilities.

Uploaded by

Hilmawan Fauzy wibowo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
10 views18 pages

Lecture 13. Security Assessment and Testing

The document outlines the key components of security assessment and testing, including designing assessment strategies and conducting various types of security control testing such as vulnerability assessments and penetration tests. It emphasizes the importance of regular log reviews, code reviews, and compliance checks to ensure organizational security. Additionally, it describes different testing techniques, including misuse case testing and interface testing, to identify and mitigate vulnerabilities.

Uploaded by

Hilmawan Fauzy wibowo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

Lecture 13: Security Assessment

and Testing
Information System Security

Iik Muhamad Malik Matin, M.T


Achievement

• Designing and validating assessment, test, and audit


strategies
• Conducting security control testing
• Collecting security process data
• Analyzing test output and generating
• Reports Conducting or facilitating security audits
Designing and validating assessment, test, and audit
strategies

Three main perspectives come into play in planning for an


organization’s assessments, testing, and auditing:
» Internal
» External
» Third-party
Conducting Security Control Testing

Vulnerability Assessment
A vulnerability assessment is performed to identify, evaluate, quantify,
and prioritize security weaknesses in an application or system.
Additionally, a vulnerability assessment provides remediation steps to
mitigate specific vulnerabilities that are identified in the environment
Conducting Security Control Testing

Vulnerability Assessment
There are three general types of vulnerability assessments:
» Port scan (not intensive)
» Vulnerability scan (more intensive)
» Penetration test (most intensive)
Conducting Security Control Testing

» Port scan (not intensive)


A port scan uses a tool that communicates over the network with one
or more target systems on various Transmission Control
Protocol/Internet Protocol (TCP/IP) ports. A port scan can discover
ports that probably should be disabled (because they serve no useful
or necessary purpose on a particular system)
Conducting Security Control Testing

» Vulnerability scan (more intensive)


Network-based vulnerability scanning tools send network messages
to systems in a network to identify any utilities, programs, or tools that
may be configured to communicate over the network. These tools
attempt to identify the version of any utilities, programs, and tools;
often, it is enough to know the versions of the programs that are
running, because scanning tools often contain a database of known
vulnerabilities associated with program versions. Scanning tools may
also send specially crafted messages to running programs to see
whether those programs contain any exploitable vulnerabilities.
Conducting Security Control Testing

» Penetration test (most intensive)


There’s three Penetration testing:
» Network Penetration testing
» Application Penetration Testing
» Physical Penetration Testing
» Personal Penetration Testing/Socail Engineering
Conducting Security Control Testing

» Penetration test (most intensive)


There’s three Penetration testing:
» Network Penetration testing
Wardialing, Wardrive, Eavesdropping, Packet Sniffing,
Conducting Security Control Testing

» Penetration test (most intensive)


There’s three Penetration testing:
» Application Penetration testing
An application penetration test is used to identify
vulnerabilities in a software application. Although the principles of
an application penetration test are the same as those of a
network penetration test, the tools and skills are somewhat
different.
Conducting Security Control Testing

» Penetration test (most intensive)


There’s three Penetration testing:
» Physical Penetration testing
Penetration tests are also performed on the controls
protecting physical premises to see whether it is possible for an
intruder to bypass security controls such as locked doors and
keycard-controlled entrances.
Conducting Security Control Testing

» Penetration test (most intensive)


There’s three Penetration testing:
» Social Engineering
Social engineering is any testing technique that employs
some means of tricking people into performing some action or
providing some information that enables the pen tester to break
into an application, system, or network.
Conducting Security Control Testing

» Log Review
Reviewing your various security logs on a regular basis (ideally,
daily) is a critical step in security control testing. Unfortunately, this
important task often ranks only slightly higher than updating
documentation on many administrators’ to-do lists. Log reviews often
happen only after an incident has occurred, but that’s not the time to
discover that your logging is incomplete or insufficient.
Conducting Security Control Testing

» Code Review
Code review and testing (sometimes known as peer review) involves
systematically examining application source code to identify bugs,
mistakes, inefficiencies, and security vulnerabilities in software
programs. Online software repositories, such as Mercurial and Git,
enable software developers to manage source code in a
collaborative development environment.
Conducting Security Control Testing

» Misusecase Testing
The opposite of use case testing (in which normal or expected
behavior in a system or application is defined and tested),
abuse/misuse case testing is the process of performing unintended
and malicious actions in a system or application to produce abnormal
or unexpected behavior and thereby identify potential vulnerabilities.
Conducting Security Control Testing

» interface Testing
Interface testing focuses on the interface between different systems
and components. It ensures that functions (such as data transfer and
control between systems or components) perform correctly and as
expected. Interface testing also verifies that any execution errors are
handled properly and do not expose any potential security
vulnerabilities
Conducting Security Control Testing

» interface Testing
Examples of interfaces tested include
» Application programming interfaces (APIs)
» Web services
» Transaction processing gateways
» Physical interfaces, such as keypads, keyboard/mouse/display,
and device switches and indicators
Conducting Security Control Testing

» Comliance Check
In many industries, it’s not enough to be secure; it’s also necessary
to be compliant with various laws, standards, and other types of
obligations. For IT, security, and privacy-related matters, information
security personnel often perform various types of compliance checks
to ensure that organizations are doing what is specifically required of
them

You might also like