SKMI Secuurity Testing Presentation

Security Testing Overview

THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.

www.SecureKM.com

The following presentation has been created to provide some examples of security testing

strategies, most common threats, vulnerabilities, 150 common attack vectors and security

incident playbook.

• Most Common Threats and Vulnerabilities

• Testing Strategies

• Potential Testing Focus Areas

• 150 Common Security Attack Vectors

• Building a Security Incident Playbook

• USA CERT Reporting requirements

Agenda


www.SecureKM.com

Most CommonSecurity Threats and Vulnerabilities


www.SecureKM.com

Most Common Threats


www.SecureKM.com

Most Common Vulnerabilities


www.SecureKM.com

Testing Strategies


www.SecureKM.com

Testing Strategies

Black box security means that the security tester has no information or knowledge of the target system with the exception of maybe an IP block. The security tester also known as a penetration tester acts like a hacker would facilitating reconnaissance to gather information about the organization and its people, services, and systems before launching a controlled attack.

Gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the security tester has been provided with knowledge of what to expect from the system such as inputs and outputs without any detailed knowledge of internal program functions and operation.


www.SecureKM.com

Blue box is essentially a review of the systems architecture including application architecture, hardware and telecommunications integration.

White box security testing is essentially a line-by-line code review.

Testing Strategies


www.SecureKM.com

Potential Testing Focus Areas


www.SecureKM.com

Potential Testing Focus Areas

• Physical Security• Supply Chain• Unauthorized Device Connectivity• Vulnerability Management• Incident Monitoring• Identity and Entitlements• Data Leakage• Internet of Things• Information, Server, Telecommunications, Hardcopy Integrity• Remote Access• Assess to Mobile Asset Contents• Network integrity


www.SecureKM.com

Testing Physical Security


www.SecureKM.com

Testing Supply Chain


www.SecureKM.com

Testing Critical Path


www.SecureKM.com

Testing Unauthorized Devices

Monitoring for unauthorized personnel, connections, devices, and software is performed.


www.SecureKM.com

Testing Vulnerability Management

Known vulnerability scans are performed.


www.SecureKM.com

Testing Incident Monitoring

The network is monitored to detect potential cybersecurity events.


www.SecureKM.com

Testing Identity & Access

Identities and credentials are managed for authorized devices and users.


www.SecureKM.com

Testing Data Leaks

Protections against data leaks are implemented.

• Mobile attacks 104,427• Browser attacks 1,700,870,654• Java attacks 14,000,000• Host's Source of attacks 10,604,273• Known Common Vulnerabilities and Exposures 61,439• New malicious files 8,206,419• Detection by Anti-Virus software 6,153,370• Undetected 2,053,049• Attacks repelled 4,659,920• New Backdoors and Botnets 275,508• Identified Trojan 3,981,145• Exploits for the Rootkits 8,770• Worms 252,356• Adware 742,940• Potential Unwanted Programs 162,731• Other 2,954,699


www.SecureKM.com

Testing Internet of Things

APPs Data Center

Example network topology

Finance

SuppliersCustomers

Remote Users

CyberSecurity Incident Response

Team

APPs

Internet

Honey Pot

Insider

A wireless device carrying a payload like Malware could bypass filtering and scanning to directly deposit the Malware on a vulnerable device.

Insider

Insider

Insider

Insider

Internet

Hackers


www.SecureKM.com

Testing Integrity

Integrity checking mechanisms are used to verify software, firmware, and information integrity.

Information Server Telecom Hardcopy


www.SecureKM.com

Testing Remote Access

Remote access is managed.


www.SecureKM.com

Testing Access to Assets

Physical access to assets is managed and protected


www.SecureKM.com

Testing Network Integrity


www.SecureKM.com

150 Common Security Attack Vectors


www.SecureKM.com

Most Common Security Incidents

Human Threats to

Networks

Critical Asset

Inside

Outside

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal

Motive ImpactActorAsset Vector

Network

BCMS - 20 Human threats to networks.


www.SecureKM.com


Human Threats to

Facilities.

Critical Asset

Inside

Outside

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal


Physical

BCMS - 20 Human threats to facilities.


www.SecureKM.com


Human Threat to

Software Security

Critical Asset

Inside

Outside

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal


Software

BCMS - 20 Human threats to software.


www.SecureKM.com


Human Threat to

Hardware Security

Critical Asset

Inside

Outside

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal


Hardware

BCMS - 20 Human threats to hardware.


www.SecureKM.com


Human Threats to

Telecommunications.

Critical Asset

Inside

Outside

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal


Telecommunications

BCMS - 20 Human threats to telecommunications.


www.SecureKM.com


Human Threats to

the Supply Chain.

Critical Asset

Inside

Outside

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal


Supply Chain

BCMS - 20 Human threats to the Supply Chain.


www.SecureKM.com


Human Threats to

Configuration

Maintenance.

Critical Asset

Inside

Outside

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Accidental

Deliberate

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal

Disclosure

Interruption

Modification

Destruction

Removal


Configuration

Maintenance


www.SecureKM.com


Threats from

Nature

Critical Asset

ImpactActorAsset

Nature

BCMS - 10 Threats from Nature.Water

Wind

Interruption

Destruction

Earthquake

Volcano

Actor Capability

Fire

Interruption

Destruction

Interruption

Destruction

Interruption

Destruction

Interruption

Destruction


www.SecureKM.com

Building a Security Incident Playbook


www.SecureKM.com

Threat Materialization


www.SecureKM.com

Severity Score

This information will be utilized to calculate a severity score according to the NCISS. The NCISS aligns with the priority levels of the Cyber Incident Severity Schema (CISS):

• Emergency (Black): Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons.

• Severe (Red): Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons.

• High (Orange): Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.

• Medium (Yellow): May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.

• Low (Green): Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.

• Baseline – Minor (Blue): Highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.

• Baseline – Negligible (White): Unsubstantiated or inconsequential event.


www.SecureKM.com

Incident Workflow


www.SecureKM.com

IncidentManagement

CapacityManagement

ConfigurationManagement

Service LevelManagement

AvailabilityManagement

Root-Cause-Analysis (RCA) Workflow Illustration

RCAManagement

ChangeManagement

RCAKnowledge

Archive

Intelligence Gathering

Intelligence Records

Post Implementation Review Request for Change

Matching Prior Knowledge

Incident Workflow


www.SecureKM.com

Identification & Recording

RCA Problem Control Workflow Illustration

Classification

Investigation & Diagnose

Resolution & Closure

Trac

kin

g an

d M

on

ito

rin

g

(Error control)

Incident Workflow


www.SecureKM.com

Error Identification & Recording

RCA Error Control Workflow Illustration

Error Assessment

Record error resolution

Close Error & Associated Problems

Trac

kin

g an

d M

on

ito

rin

g Er

rors

Change Successfully Implemented

RCF

(Problem control)

Incident Workflow


www.SecureKM.com

Building a Playbook

.Originator:_______________________________________

.

Date:_2017_/_02_/_10_

.Assigned to:_____________________________________

.

.

.Validate Resolution /Closure:

Date:_2017_/_02_/_10_

• Physical sites: _______________________________________________________________________________________________________________

• Network and Devices: _________________________________________________________________________________________________________

• Business Units /Systems: _____________________________________________________________________________________________________

Root Cause:_____________________________________________________________________________________________________________________

________________________________________________________________________________________________________________________________

Corrective/Preventative Action Plan:_________________________________________________________________________________________________

________________________________________________________________________________________________________________________________

Source (IP):____________________________________________

______________________________________________________

______________________________________________________

______________________________________________________

Name:_____________________________________________________ Date: ____/____/____

.Severity Score:________________________________________________________

Description of Cybersecurity Incident:


www.SecureKM.com

USA CERT Reporting Requirements

Submitting Incident Notifications

The information elements described in steps 1-7 below are required when notifying US-CERT of an incident:1. Identify the current level of impact on agency functions or services (Functional Impact).2. Identify the type of information lost, compromised, or corrupted (Information Impact).3. Estimate the scope of time and resources needed to recover from the incident (Recoverability).4. Identify when the activity was first detected.5. Identify the number of systems, records, and users impacted.6. Identify the network location of the observed activity.7. Identify point of contact information for additional follow-up.

Important: Please refrain from adding sensitive personally identifiable information (PII) to incident submissions. Any contact information collected will be handled according to the DHS website privacy policy.

8. Submit the notification to US-CERT.

The following information should also be included if known at the time of submission:

9. Identify the attack vector(s) that led to the incident.10. Provide any indicators of compromise, including signatures or detection measures developed in relationship to the incident.11. Provide any mitigation activities undertaken in response to the incident.


www.SecureKM.com


Contact US

[email protected]

www.SecureKM.com

SKMI Secuurity Testing Presentation

Business

Transcript of SKMI Secuurity Testing Presentation