SKMI Secuurity Testing Presentation
-
Upload
wwwsecurekmcom-secure-knowledge-management-inc -
Category
Business
-
view
251 -
download
1
Transcript of SKMI Secuurity Testing Presentation
Security Testing Overview
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
The following presentation has been created to provide some examples of security testing
strategies, most common threats, vulnerabilities, 150 common attack vectors and security
incident playbook.
• Most Common Threats and Vulnerabilities
• Testing Strategies
• Potential Testing Focus Areas
• 150 Common Security Attack Vectors
• Building a Security Incident Playbook
• USA CERT Reporting requirements
Agenda
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most CommonSecurity Threats and Vulnerabilities
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Threats
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Threats
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Threats
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Vulnerabilities
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Strategies
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Strategies
Black box security means that the security tester has no information or knowledge of the target system with the exception of maybe an IP block. The security tester also known as a penetration tester acts like a hacker would facilitating reconnaissance to gather information about the organization and its people, services, and systems before launching a controlled attack.
Gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the security tester has been provided with knowledge of what to expect from the system such as inputs and outputs without any detailed knowledge of internal program functions and operation.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Blue box is essentially a review of the systems architecture including application architecture, hardware and telecommunications integration.
White box security testing is essentially a line-by-line code review.
Testing Strategies
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Potential Testing Focus Areas
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Potential Testing Focus Areas
• Physical Security• Supply Chain• Unauthorized Device Connectivity• Vulnerability Management• Incident Monitoring• Identity and Entitlements• Data Leakage• Internet of Things• Information, Server, Telecommunications, Hardcopy Integrity• Remote Access• Assess to Mobile Asset Contents• Network integrity
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Physical Security
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Supply Chain
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Critical Path
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Unauthorized Devices
Monitoring for unauthorized personnel, connections, devices, and software is performed.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Vulnerability Management
Known vulnerability scans are performed.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Incident Monitoring
The network is monitored to detect potential cybersecurity events.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Identity & Access
Identities and credentials are managed for authorized devices and users.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Data Leaks
Protections against data leaks are implemented.
• Mobile attacks 104,427• Browser attacks 1,700,870,654• Java attacks 14,000,000• Host's Source of attacks 10,604,273• Known Common Vulnerabilities and Exposures 61,439• New malicious files 8,206,419• Detection by Anti-Virus software 6,153,370• Undetected 2,053,049• Attacks repelled 4,659,920• New Backdoors and Botnets 275,508• Identified Trojan 3,981,145• Exploits for the Rootkits 8,770• Worms 252,356• Adware 742,940• Potential Unwanted Programs 162,731• Other 2,954,699
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Internet of Things
APPs Data Center
Example network topology
Finance
SuppliersCustomers
Remote Users
CyberSecurity Incident Response
Team
APPs
Internet
Honey Pot
Insider
A wireless device carrying a payload like Malware could bypass filtering and scanning to directly deposit the Malware on a vulnerable device.
Insider
Insider
Insider
Insider
Internet
Hackers
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Integrity
Integrity checking mechanisms are used to verify software, firmware, and information integrity.
Information Server Telecom Hardcopy
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Remote Access
Remote access is managed.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Access to Assets
Physical access to assets is managed and protected
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Testing Network Integrity
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
150 Common Security Attack Vectors
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Security Incidents
Human Threats to
Networks
Critical Asset
Inside
Outside
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Motive ImpactActorAsset Vector
Network
BCMS - 20 Human threats to networks.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Security Incidents
Human Threats to
Facilities.
Critical Asset
Inside
Outside
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Motive ImpactActorAsset Vector
Physical
BCMS - 20 Human threats to facilities.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Security Incidents
Human Threat to
Software Security
Critical Asset
Inside
Outside
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Motive ImpactActorAsset Vector
Software
BCMS - 20 Human threats to software.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Security Incidents
Human Threat to
Hardware Security
Critical Asset
Inside
Outside
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Motive ImpactActorAsset Vector
Hardware
BCMS - 20 Human threats to hardware.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Security Incidents
Human Threats to
Telecommunications.
Critical Asset
Inside
Outside
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Motive ImpactActorAsset Vector
Telecommunications
BCMS - 20 Human threats to telecommunications.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Security Incidents
Human Threats to
the Supply Chain.
Critical Asset
Inside
Outside
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Motive ImpactActorAsset Vector
Supply Chain
BCMS - 20 Human threats to the Supply Chain.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Security Incidents
Human Threats to
Configuration
Maintenance.
Critical Asset
Inside
Outside
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Accidental
Deliberate
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Disclosure
Interruption
Modification
Destruction
Removal
Motive ImpactActorAsset Vector
Configuration
Maintenance
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Most Common Security Incidents
Threats from
Nature
Critical Asset
ImpactActorAsset
Nature
BCMS - 10 Threats from Nature.Water
Wind
Interruption
Destruction
Earthquake
Volcano
Actor Capability
Fire
Interruption
Destruction
Interruption
Destruction
Interruption
Destruction
Interruption
Destruction
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Building a Security Incident Playbook
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Threat Materialization
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Severity Score
This information will be utilized to calculate a severity score according to the NCISS. The NCISS aligns with the priority levels of the Cyber Incident Severity Schema (CISS):
• Emergency (Black): Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons.
• Severe (Red): Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons.
• High (Orange): Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
• Medium (Yellow): May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
• Low (Green): Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
• Baseline – Minor (Blue): Highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
• Baseline – Negligible (White): Unsubstantiated or inconsequential event.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Incident Workflow
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
IncidentManagement
CapacityManagement
ConfigurationManagement
Service LevelManagement
AvailabilityManagement
Root-Cause-Analysis (RCA) Workflow Illustration
RCAManagement
ChangeManagement
RCAKnowledge
Archive
Intelligence Gathering
Intelligence Records
Post Implementation Review Request for Change
Matching Prior Knowledge
Incident Workflow
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Identification & Recording
RCA Problem Control Workflow Illustration
Classification
Investigation & Diagnose
Resolution & Closure
Trac
kin
g an
d M
on
ito
rin
g
(Error control)
Incident Workflow
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Error Identification & Recording
RCA Error Control Workflow Illustration
Error Assessment
Record error resolution
Close Error & Associated Problems
Trac
kin
g an
d M
on
ito
rin
g Er
rors
Change Successfully Implemented
RCF
(Problem control)
Incident Workflow
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
Building a Playbook
.Originator:_______________________________________
.
Date:_2017_/_02_/_10_
.Assigned to:_____________________________________
.
.
.Validate Resolution /Closure:
Date:_2017_/_02_/_10_
• Physical sites: _______________________________________________________________________________________________________________
• Network and Devices: _________________________________________________________________________________________________________
• Business Units /Systems: _____________________________________________________________________________________________________
Root Cause:_____________________________________________________________________________________________________________________
________________________________________________________________________________________________________________________________
Corrective/Preventative Action Plan:_________________________________________________________________________________________________
________________________________________________________________________________________________________________________________
Source (IP):____________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Name:_____________________________________________________ Date: ____/____/____
.Severity Score:________________________________________________________
Description of Cybersecurity Incident:
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
USA CERT Reporting Requirements
Submitting Incident Notifications
The information elements described in steps 1-7 below are required when notifying US-CERT of an incident:1. Identify the current level of impact on agency functions or services (Functional Impact).2. Identify the type of information lost, compromised, or corrupted (Information Impact).3. Estimate the scope of time and resources needed to recover from the incident (Recoverability).4. Identify when the activity was first detected.5. Identify the number of systems, records, and users impacted.6. Identify the network location of the observed activity.7. Identify point of contact information for additional follow-up.
Important: Please refrain from adding sensitive personally identifiable information (PII) to incident submissions. Any contact information collected will be handled according to the DHS website privacy policy.
8. Submit the notification to US-CERT.
The following information should also be included if known at the time of submission:
9. Identify the attack vector(s) that led to the incident.10. Provide any indicators of compromise, including signatures or detection measures developed in relationship to the incident.11. Provide any mitigation activities undertaken in response to the incident.
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
www.SecureKM.com
THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC ACCESS BY SECURE KNOWLEDGE MANAGEMENT INC.
Contact US
www.SecureKM.com