BackTrack 4: Assuring Security by Penetration Testing
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Security testing methodologies

There have been various open source methodologies introduced to address security assessment needs. Using these assessment methodologies, one can easily pass the time-critical and challenging task of assessing the system security depending on its size and complexity. Some of these methodologies focus on the technical aspect of security testing, while others focus on managerial criteria, and very few address both sides. The basic idea behind formalizing these methodologies with your assessment is to execute different types of tests step-by-step in order to judge the security of a system accurately. Therefore, we have introduced four such well-known security assessment methodologies to provide an extended view of assessing the network and application security by highlighting their key features and benefits. These include:

  • Open Source Security Testing Methodology Manual (OSSTMM)
  • Information Systems Security Assessment Framework (ISSAF)
  • Open Web Application Security Project (OWASP) Top Ten
  • Web Application Security Consortium Threat Classification (WASC-TC)

All of these testing frameworks and methodologies will assist the security professionals to choose the best strategy that could fit into their client's requirements and qualify the suitable testing prototype. The first two provide general guidelines and methods adhering security testing for almost any information assets. The last two mainly deal with the assessment of an application security domain. It is, however, important to note that the security in itself is an on-going process. Any minor change in the target environment can affect the whole process of security testing and may introduce errors in the final results. Thus, before complementing any of the above testing methods, the integrity of the target environment should be assured. Additionally, adapting any single methodology does not necessarily provide a complete picture of the risk assessment process. Hence, it is left up to the security auditor to select the best strategy that can address the target testing criteria and remains consistent with its network or application environment.

There are many security testing methodologies which claim to be perfect in finding all security issues, but choosing the best one still requires a careful selection process under which one can determine the accountability, cost, and effectiveness of the assessment at optimum level. Thus, determining the right assessment strategy depends on several factors, including the technical details provided about the target environment, resource availability, PenTester's knowledge, business objectives, and regulatory concerns. From a business standpoint, investing blind capital and serving unwanted resources to a security testing process can put the whole business economy in danger.

Open Source Security Testing Methodology Manual (OSSTMM)

The OSSTMM (www.isecom.org/osstmm/) is a recognized international standard for security testing and analysis and is being used by many organizations in their day-to-day assessment cycle. It is purely based on scientific method which assists in quantifying the operational security and its cost requirements in concern with the business objectives. From a technical perspective, its methodology is divided into four key groups, that is, Scope, Channel, Index, and Vector. The scope defines a process of collecting information on all assets operating in the target environment. A channel determines the type of communication and interaction with these assets, which can be physical, spectrum, and communication. All of these channels depict a unique set of security components that has to be tested and verified during the assessment period. These components comprise of physical security, human psychology, data networks, wireless communication medium, and telecommunication. The index is a method which is considerably useful while classifying these target assets corresponding to their particular identifications, such as, MAC Address, and IP Address. At the end, a vector concludes the direction by which an auditor can assess and analyze each functional asset. This whole process initiates a technical roadmap towards evaluating the target environment thoroughly and is known as Audit Scope.

There are different forms of security testing which have been classified under OSSTMM methodology and their organization is presented within six standard security test types:

  • Blind: The blind testing does not require any prior knowledge about the target system. But the target is informed before the execution of an audit scope. Ethical hacking and war gaming are examples of blind type testing. This kind of testing is also widely accepted because of its ethical vision of informing a target in advance.
  • Double blind: In double blind testing, an auditor does not require any knowledge about the target system nor is the target informed before the test execution. Black-box auditing and penetration testing are examples of double blind testing. Most of the security assessments today are carried out using this strategy, thus, putting a real challenge for auditors to select the best of breed tools and techniques in order to achieve their required goal.
  • Gray box: In gray box testing, an auditor holds limited knowledge about the target system and the target is also informed before the test is executed. Vulnerability assessment is one of the basic examples of gray box testing.
  • Double gray box: The double gray box testing works in a similar way to gray box testing, except the time frame for an audit is defined and there are no channels and vectors being tested. White-box audit is an example of double gray box testing.
  • Tandem: In tandem testing, the auditor holds minimum knowledge to assess the target system and the target is also notified in advance before the test is executed. It is fairly noted that the tandem testing is conducted thoroughly. Crystal box and in-house audit are examples of tandem testing.
  • Reversal: In reversal testing, an auditor holds full knowledge about the target system and the target will never be informed of how and when the test will be conducted. Red-teaming is an example of reversal type testing.

Tip

Which OSSTMM test type follows the rules of Penetration Testing?

Double blind testing

The technical assessment framework provided by OSSTMM is flexible and capable of deriving certain test cases which are logically divided into five security components of three consecutive channels, as mentioned previously. These test cases generally examine the target by assessing its access control security, process security, data controls, physical location, perimeter protection, security awareness level, trust level, fraud control protection, and many other procedures. The overall testing procedures focus on what has to be tested, how it should be tested, what tactics should be applied before, during and after the test, and how to interpret and correlate the final results. Capturing the current state of protection of a target system by using security metrics is considerably useful and invaluable. Thus, the OSSTMM methodology has introduced this terminology in the form of RAV (Risk Assessment Values). The basic function of RAV is to analyze the test results and compute the actual security value based on three factors, which are operational security, loss controls, and limitations. This final security value is known as RAV Score. By using RAV score an auditor can easily extract and define the milestones based on the current security posture to accomplish better protection. From a business perspective, RAV can optimize the amount of investment required on security and may help in the justification of better available solutions.

Key features and benefits

  • Practicing the OSSTMM methodology substantially reduces the occurrence of false negatives and false positives and provides accurate measurement for the security.
  • Its framework is adaptable to many types of security tests, such as penetration testing, white-box audit, vulnerability assessment, and so forth.
  • It ensures the assessment should be carried out thoroughly and that of the results can be aggregated into consistent, quantifiable, and reliable manner.
  • The methodology itself follows a process of four individually connected phases, namely definition phase, information phase, regulatory phase, and controls test phase. Each of which obtain, assess, and verify the information regarding the target environment.
  • Evaluating security metrics can be achieved using the RAV method. The RAV calculates the actual security value based on operational security, loss controls, and limitations. The given output known as the RAV score represents the current state of target security.
  • Formalizing the assessment report using the Security Test Audit Report (STAR) template can be advantageous to management, as well as the technical team to review the testing objectives, risk assessment values, and the output from each test phase.
  • The methodology is regularly updated with new trends of security testing, regulations, and ethical concerns.
  • The OSSTMM process can easily be coordinated with industry regulations, business policy, and government legislations. Additionally, a certified audit can also be eligible for accreditation from ISECOM (Institute for Security and Open Methodologies) directly.

Information Systems Security Assessment Framework (ISSAF)

The ISSAF (www.oissg.org/issaf) is another open source security testing and analysis framework. Its framework has been categorized into several domains to address the security assessment in a logical order. Each of these domains assesses the different parts of a target system and provides field inputs for the successful security engagement. By integrating its framework into a regular business lifecycle, it may provide accuracy, completeness, and efficiency to fulfill the organization's security testing requirements. The ISSAF was developed to focus on two areas of security testing, technical and managerial. The technical side establishes the core set of rules and procedures to follow and create an adequate security assessment process, while the managerial side accomplishes engagement management and the best practices that should be followed throughout the testing process. It should be remembered that an ISSAF defines the assessment as a process instead of an audit. Since auditing requires a more established body to proclaim the necessary standards, its assessment framework does include the Planning, Assessment, Treatment, Accreditation, and Maintenance phases. Each of these phases holds generic guidelines that are effective and flexible to any organizational structure. The output is a combination of operational activities, security initiatives, and a complete list of vulnerabilities that may exist in the target environment. The assessment process chooses the shortest path to reach the test deadline by analyzing its target against critical vulnerabilities that can be exploited with minimum effort.

The ISSAF contains a rich set of technical assessment baseline to test the number of different technologies and processes. But this has introduced another problem of maintenance, to keep updating the framework in order to reflect new or updated technology assessment criteria. When comparing with OSSTMM methodology, the latter is less affected by these obsolescence issues because the auditor can be able to use the same methodology over the number of security engagements using different set of tools and techniques. On the other hand, ISSAF also claims to be a broad framework with up-to-date information on security tools, best practices, and administrative concerns to complement the security assessment program. It can also be aligned with OSSTMM or any other similar testing methodology, thus, combine the strengths of each other. However, it is important to note that ISSAF is still in its infancy and a bit outdated when compared to other methodologies and frameworks.

Key features and benefits

  • Provides a high value proposition to secure the infrastructure by assessing the existing security controls against critical vulnerabilities.
  • A framework addresses different key areas of information security. This covers risk assessment, business structure and management, controls assessment, engagement management, security policies development, and good practices.
  • The overall technical assessment process provided by ISSAF consists of operations management, physical security assessment, penetration testing methodology, incident management, change management, business continuity management, security awareness, and legal and regulatory compliance.
  • The ISSAF penetration testing methodology purely examines the security of a network, system, or application. Because the framework can transparently focus on target specific technology which may involve routers, switches, firewalls, intrusion detection and prevention systems, storage area networks, virtual private networks, various operation systems, web application servers, databases, and so forth.
  • It bridges the gap between the technical and managerial view of security testing by implementing the necessary controls to handle both areas.
  • It enables management to understand the existing risks floating over the organization's perimeter defenses and reduces them proactively by identifying the vulnerabilities that may affect the business integrity.

Tip

Combining the power of both methodologies, OSSTMM and ISSAF does provide sufficient knowledge base to assess the security of an enterprise environment efficiently.

Open Web Application Security Project (OWASP) Top Ten

Hardening the network devices not only prevents a malicious adversary from entering the secure network using well-known exploits and vulnerabilities, but also proactively thwarts against unauthorized and inappropriate modification to the infrastructure. However, this phenomenon does not prevent network-based web applications from being exposed to such attacks. Thus, it opens another gate for an attacker to land himself onto the application layer before moving his steps into the system. Due to this obvious security glitch, several testing methodologies have been introduced to critically assess the underlying security risks of the application. One such attempt was done by OWASP open community to bring its top ten project forward and increase the awareness of application security among various organizations. The project does not focus on complete application security programs but provides a necessary foundation to integrate security through secure coding principles and practices.

Tip

What is meant by "Application Layer"?

Layer-7 of the Open Systems Interconnection (OSI) model is known as the "Application Layer". The key function of this model is to provide a standardized way of communication across heterogeneous networks. A model is divided into seven logical layers, namely, Physical, Data link, Network, Transport, Session, Presentation, and Application. The basic functionality of the application layer is to provide network services to user applications. More information on this can be obtained from: http://en.wikipedia.org/wiki/OSI_model.

Addressing the application security constitutes people, processes, management, and technology criteria. Thus, relying on application risk assessment strategy is not the only choice. Combining all the counterparts of an organization may contribute a significant amount of improvement to the security of an application itself. OWASP top ten project categorizes the application security risks by evaluating the top attack vectors and security weaknesses in relation with their technical and business impact. While assessing the application, each of these risks demonstrates a generic attack method independent of the technology or platform being used. It also provides specific instructions on how to test, verify, and remediate each vulnerable part of an application. The OWASP top ten mainly focuses on the high risk problem areas rather than addressing the all issues surrounding web application security. However, there are some essential guidelines available from the OWASP community for developers and security auditors to effectively manage the security of web applications.

In order to justify top ten application security risks presented by OWASP, we have explained them below with their short definitions, exemplary types, and preventive measures:

  • A1 - Injection: A malicious data input given by an attacker to execute arbitrary commands in the context of a web server is known as injection attack. SQL, XML, and LDAP injections are some of its well-known types. Escaping the special characters from user input can prevent the application from malicious data injection.
  • A2 - Cross-Site Scripting (XSS): An application that does not properly validate the user input and forwards those malicious strings to the web browser, which once executed may result in session hijacking, cookie stealing, or website defacement is known as cross-site scripting (XSS). By escaping all the untrusted meta characters based on HTML, JavaScript, or CSS output can prevent the application from cross-site scripting attack.
  • A3 - Broken Authentication and Session Management: Use of insecure authentication and session management routines may result in the hijacking of other user accounts and the predictable session tokens. Developing a strong authentication and session management scheme can prevent such attacks. The use of encryption, hashing, and secure data connection over SSL or TLS is highly recommended.
  • A4 - Insecure Direct Object References: Providing a direct reference to the internal application object can allow an attacker to manipulate such references and access the unauthorized data, unless authenticated properly. This internal object can refer to a user account parameter value, filename, or directory. Restricting each user-accessible object before validating its access control check should ensure an authorized access to the requested object.
  • A5 - Cross-Site Request Forgery (CSRF): Forcing an authorized user to execute forged HTTP requests against a vulnerable web application is called a cross-site request forgery attack. These malicious requests are executed in terms of a legitimate user session so that they can not be detected. Binding a unique unpredictable token to every HTTP request per user session can provide mitigation against CSRF.
  • A6 - Security Misconfiguration: Sometimes using a default security configuration can leave the application open to multiple attacks. Keeping the entire best known configuration for the deployed application, web server, database server, operating system, code libraries, and all other application related components is vital. This transparent application security configuration can be achieved by introducing a repeatable process for software updates, patches, and hardened environment rules.
  • A7 - Insecure Cryptographic Storage: Applications that do not employ the cryptographic protection scheme for sensitive data, such as healthcare information, credit card transaction, personal information, and authentication details fall under this category. By implementing the strong standard encryption or hashing algorithm one can assure the security of data at rest.
  • A8 - Failure to Restrict URL Access: Those web applications that do not check for the access permissions based on the URL being accessed can allow an attacker to access unauthorized pages. In order to resolve this issue, restrict the access to private URLs by implementing the proper authentication and authorization controls, and develop a policy for specific users and roles that are only allowed to access the highly sensitive area.
  • A9 - Insufficient Transport Layer Protection: Use of weak encryption algorithms, invalid security certificates, and improper authentication controls can compromise the confidentiality and integrity of data. This kind of application data is always vulnerable to traffic interception and modification attacks. Security of such applications can be enhanced by implementing SSL for all sensitive pages and configuring a valid digital certificate issued by an authorized certification authority.
  • A10 - Unvalidated Redirects and Forwards: There are many web applications which use dynamic parameter to redirect or forward a user to a specific URL. An attacker can use the same strategy to craft a malicious URL for users to be redirected to phishing or malware websites. The same attack can also be extended by forwarding a request to access local unauthorized web pages. By simply validating a supplied parameter value and checking the access control rights for the users making a request can avoid illegitimate redirects and forwards.

Key features and benefits

  • Testing the web application against OWASP top ten security risks ensure the most common attacks and weaknesses are avoided and that the confidentiality, integrity, and availability of an application is maintained.
  • The OWASP community has also developed a number of security tools focusing on the automated and manual web application tests. A few of these tools are WebScarab, Wapiti, JBroFuzz, and SQLiX, which are also available under the BackTrack operating system.
  • When considering the security assessment of web infrastructure, the OWASP Testing Guide provides technology specific assessment details, for instance, testing the Oracle is approached differently than MySQL. Such a guide provides a wider and collaborative look at multiple technologies which helps an auditor to choose the best suited procedure for testing.
  • Encourages the secure coding practices for developers by integrating security tests at each stage of development. This will ensure that the production application is robust, error-free, and secure.
  • It provides industry wide acceptance and visibility. The top ten security risks can also be aligned with other web application security assessment standards; thus, help in achieving more than one standard at a time with little more efforts.

Web Application Security Consortium Threat Classification (WASC-TC)

Identifying the application security risks requires a thorough and rigorous testing procedure which can be followed throughout the development lifecycle. WASC Threat Classification is another such open standard for assessing the security of web applications. Similar to the OWASP standard, it is also classified into a number of attacks and weaknesses, but addresses them in a much deeper fashion. Practicing this black art for identification and verification of threats hanging over the Web application requires standard terminology to be followed which can quickly adapt to the technology environment. This is where the WASC-TC comes in very handy. The overall standard is presented in three different views to help developers and security auditors to understand the vision of web application security threats.

  • Enumeration View: This view is dedicated to provide the basis for web application attacks and weaknesses. Each of these attacks and weaknesses has been discussed individually with their concise definition, types, and examples of multiple programming platforms. Additionally, they are inline with their unique identifier which can be useful for referencing. There are a total of 49 attacks and weaknesses collated with a static WASC-ID number (1 to 49). It is important to note that this numeric representation does not focus on risk severity but instead serves the purpose of referencing.
  • Development View: The development view takes the developer's panorama forward by combining the set of attacks and weaknesses into vulnerabilities which may likely to occur at any of three consecutive development phases. This could be a design, implementation, or deployment phase. The design vulnerabilities are introduced when the application requirements do not fulfill the security at the initial stage of requirements gathering. The implementation vulnerabilities occur due to insecure coding principles and practices. And, the deployment vulnerabilities are the result of misconfiguration of application, web server, and other external systems. Thus, the view broadens the scope for its integration into a regular development lifecycle as a part of best practices.
  • Taxonomy Cross Reference View: Referring to a cross reference view of multiple web application security standards which can help auditors and developers to map the terminology presented in one standard with another. With a little more effort, the same facility can also assist in achieving multiple standard compliances at the same time. However, in general, each application security standard defines it own criteria to assess the applications from different angles and measures their associated risks. Thus, each standard requires different efforts to be made to scale up the calculation for risks and their severity levels. The WASC-TC attacks and weaknesses presented in this category are mapped with OWASP top ten, Mitre's Common Weakness Enumeration (CWE), Mitre's Common Attack Pattern Enumeration and Classification (CAPEC) and SANS-CWE Top 25 list.

Note

More details regarding WASC-TC and its views can be found at: http://projects.webappsec.org/Threat-Classification.

Key features and benefits

  • Provides an in-depth knowledge for assessing the web application environment against the most common attacks and weaknesses.
  • The attacks and weaknesses presented by WASC-TC can be used to test and verify any web application platform using a combination of tools from the BackTrack operating system.
  • The standard provides three different views, namely, enumeration, development, and cross reference. Enumeration serves as a base for all the attacks and weaknesses found in the web applications. Development view merges these attacks and weaknesses into vulnerabilities and categorizes them according to their occurrence in the relative development phase. This could be a design, implementation, or deployment phase. The cross reference view serves the purpose of referencing other application security standards with WASC-TC.
  • WASC-TC has already acquired industry-level acceptance and its integration can be found in many open source and commercial solutions, mostly in vulnerability assessment and managerial products.
  • It can also be aligned with other well-known application security standards, such as OWASP and SANS-CWE. Thus, leverages to satisfy other standard compliances.
上一章目录下一章