Transcript Security Testing

Security Testing
Kevin Brey, Ryan Clark, Luke
Joswiak, Jeff Lawinger, Jake
Lokkesmoe
Security Testing
●
●
●
●
●
Availability Testing- Luke
Authentication Testing- Jeff
Confidentiality Testing- Kevin
Penetration Testing- Jake
Integrity Testing- Ryan
Availability
-Make sure system is available for authorized
users when they want to use the system.
- Exception of planned minimized
maintenance time.
MSDN Testing for Availability
-“Running an application for planned period
of time, collecting failure events and
repair times, compare availability percentage to
original service level agreement”-MSDN
- “Primarily concerned with measuring and minimizing
actual repair time.
- (MTBF / (MTBF + MTTR)) X 100
(Mean Time Between Failures, Mean Time To Repair)
Backup for Failure
Backup site on separate server.
Test for recovery and appropriate changeover
when some system fails.
MSDN
Database Mirroring
Website
Primary
Database
Secondary
Database
Strategies
Should be made an integral part of testing
process.
Included before code is written (During SDLC).
Keep track of tests and bugs in bug tracking
software.
Authentication Testing
Authentication Definition:
- To establish as genuine. (Dictionary.com)
- Also called Access Control
Sources: -“Testing for authentication - OWASP” @
www.owasp.org/index.php/Testing_for_authentication
“Security Testing” @ https://en.wikipedia.org/wiki/Security_testing
Authentication Testing
Test For:
1.
2.
3.
4.
5.
6.
7.
Default Credentials
Weak Lock-out
“Remember Password” Vulnerabilities
Authentication Bypasses
Weak Security Questions
Weak Password Reset Functionality
Alternate Channel Weaknesses
Authentication Testing
Test for Default Credentials:
● Force password change on first usage
● Check code for hard coded passwords used during
unit/integration testing
Test for Weak Lock-outs
● 3-5 tries maximum
● Lock-out should last a few minutes if not permanent
Authentication Testing
Test for “Remember Password” Vulnerabilities
● Browsers cache passwords
● Don’t store password in a cookie
Test for Bypass of Authentication
● Call for a web page with the application to skip log on
● Unsecure unit execution allows access to secure unit
● User “logs out” --does “Back” button allow access?
Authentication Testing
Test for Weak Security Questions
● Challenge questions can lead to easy answers-● Don’t let users create their own questions
Test for Weak Password Reset Functionality
● Is password sent via email?
Test Authentication via Alternate Channels
● All platforms must provide equal strength
Confidentiality Testing
● Ensure sensitive data can be accessed by
those authorized and only by those
authorized
● Sensitive data - any data that must be
protected in memory, over the network, or
in persistent stores
Enforcing Confidentiality
● Encryption
● Access Control Lists (ACL)
Encryption
● Used to protect sensitive data in a message
● Unencrypted data (plaintext) is converted
to encrypted data (ciphertext) and then
decrypted to plaintext when needed.
● Data is encrypted with an algorithm and a
private cryptographic key.
● Must provide seeds for “random” values
that must be cryptographically strong
Encryption
● Encryption depends on random private keys
● By nature, computers are not random
○
Pseudorandom number generator (PRNG)
● Detect weak PRNG by inspection
○
○
○
What physical events are gathered?
Why are these “random”?
How are they mixed?
Access Control Lists
● List of permissions
attached to an object
● Restrictions depend on
impact factors
How much data could be
disclosed?
○ How sensitive is this data?
○
Access Restrictions
Access to high security information may
involve training on the best practices for
keeping data secure.
● Passwords
○
Sony - passwords.xlsx
● Phishing
○
Wall Street - FIN4
Penetration Testing
● An attack on a computer system with the
intention of finding and exploiting security
weaknesses.
● Unlike a simple security assessment or
“vulnerability scan,” a penetration test
tries to prove (or disprove) real-world
attack vectors against a system.
Penetration Testing Methods
● May involve automated tools and processes
● But the focus is on the individual or team of
testers.
o
Even highly automated, well-resourced, and
advanced networks employing sophisticated
counter-measure technologies are often vulnerable
to the unique nature of the human mind.
Reasons for Penetration Testing
● Determine the feasibility of a set of attack vectors.
● Identify high-risk vulnerabilities that result from a
combination of multiple low-risk vulnerabilities.
● Identify vulnerabilities that cannot be detected by
automated software.
● Assessing the magnitude of potential attack impacts.
o How much data can be compromised?
● Testing the ability of network defenders to detect and
respond to attacks.
Strategies for Penetration Testing
● Hire the right team
o
The last thing you want after a penetration test is
to have no actionable results
● Blackbox vs. Whitebox
o
Letting the attackers see the code might help them
discover weaknesses, but it might also limit their
ability to think “outside the box.”
● Schedule Properly
o
Make sure that the system is free to be unavailable
Integrity Testing
● Is to ensure any information received by the
system is not altered by unauthorized
people during transit.
Sources: “Integrity” @
http://searchdatacenter.techtarget.com/definition/integrity
“Confidentiality, Integrity, & Availability (CIA)” @
http://whatis.techtarget.com/definition/Confidentiality-integrityand-availability-CIA
Possible Sources for a loss in Integrity
● Physical environment of network terminals
and servers.
● Access to data.
● Authentication practices.
● Environmental hazards from heat, dust, and
electrical surges.
Practices to Protect Data Integrity
● Serves can only be accessed by network
administrators.
● Cover and lock cables and connectors to
protect against tampering.
● Using version control to prevent accidental
changes and deletions by authorized users.
Other Practices
● Using checksums to verify integrity.
● Backups must be used in order restore
affected data.
● Non-Human causes: Ways of detecting power
surges, electromagnetic pulse (EMP) and
server crashes.
Questions?
●
●
●
●
●
Availability Testing- Luke
Authentication Testing- Jeff
Confidentiality Testing- Kevin
Penetration Testing- Jake
Integrity Testing- Ryan