Let us continue our CISSP course together! In the previous Module, Module 05, we learned about ID, defining identity and access, core security requirements, access control models, authentication and its types, SSO and Kerberos, access control methods, RADIUS, and emanations. From all the previous modules, we believe that you’ve have got something to learn, lets continue our CISSP training online! In this CISSP tutorial, Module 06, you will learn about security assessments and testing. We will go beyond just testing the software and being safe to vulnerabilities. We will talk about six security assessments and testing objectives, from vulnerability assessments to penetration testing, through remediation and so on. So, let’s start!
Vulnerability and Pen Testing
What is VAPT (Vulnerability Assessment and Pen Testing)? Those are the two types of vulnerability testing. They have different strengths and are combined to achieve a more complete vulnerability analysis. They perform two different tasks, coming with the different results, but within the same area of focus.
Let’s look at the Vulnerability Assessment first. It is a way which discovers the present vulnerabilities. The bad thing is that it cannot differentiate between flaws that can be exploited to cause damage and those that can’t. It alerts companies to the pre-existing flaws and shows where they are located. The Penetration Testing is different because it attempts to exploit the vulnerabilities in the system determining whether authorised access or other malicious activity is possible. It also identifies which flaws are the threat to the application. They measure the severity of each flaw.
Together, these VA and PT provide a whole picture with details of the flaws that exist and calculate the risk.
Vulnerability Assessments are physical, administrative and local. Penetration Testing has red and blue terms (attack and defend).
What is the vulnerability analysis? Or scanning? It is a process which defines and identifies, and then classifies the security holes in the network or a computer, or in a communications infrastructure. They can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they’re put into the use.
It consists of several steps, and those are:
- the defining & classifying system or network resources;
- assigning relative levels of importance to the resources;
- identification of the potential threats;
- developed strategy for dealing with the serious potential problems;
- after defining, implementing the ways to minimize the consequences in case attack occurs.
There are many attack methodologies, like reconnaissance, footprinting, fingerprinting and vulnerability assessments and the attack.
It’s a good to start with the knowledge that no organization has an infinite security budget. As we already mentioned it in this module, penetration testing is a critical part to implement for a complete security framework and is intended to look beyond the limited detail provided by those controls. It helps to identify the implementation issues that a human attacker may target. Sometimes, to compromise the environment or to establish a persistent foothold. These tests are also used to validate the configuration of security controls, and also the organization’s incident response policies. They generate the anomalous activity associated with reconnaissance. For an organization to be safe, it has to find the best team that went through all the testing about the penetration testing.
NIDS vs HIDS
Let’s start with the definition of IDS. Those are tools in a layered security model. Their purpose is to identify suspicious activity and to log it and to respond and alert people. It is actually a passive device. So, we come here to a conclusion about the difference of the IDS and NDS. The IDS is passive, while the NIDS is an active tool.
NIDS-Network Intrusion Detection System consists of network appliance or sensor with a NIC (Network Interface Card). It’s operating in promiscuous mode and a separate management interface.
HIDS-A Host Intrusion Detection System and software applications installed on workstations which are going to be monitored, writing data to log files and the trigger alarms. It can only monitor the individual workstations on which the agents are installed, and can’t monitor the entire network.
IDS has analysis engines. The two main types of the analysis engines exist and those are pattern matching and profile matching.
Pattern matching is signature based because most networks have the signature based distinctly, where the data is passed between the attacker and the victim. NIDS has a database of known attack signatures and compares the network traffic against that database. There are some concerns for signature based systems, which include paying for a signature subscription from the vendor, through keeping the signature update, to not protecting it from the zero day attacks.
Profile matching system. It looks for suspicious activities. It is searching for the things that do not match with the normal profile network activity.
Maybe you thought that all the IDS/IPS signatures were created equal. But, you will need to think again. It is the quality of the signature that stands between you and the targetted attack. The biggest problem is that some of the signatures for filtering exploits are written to the publicly disclosed exploit. Instead, they should have been written for the underlying vulnerabilities.
Another thing that could prevent the attacker to get into your software, computer or system, could be Honeypot. So, what is the Honeypot exactly? It is the computer security mechanism which is set to detect and deflect or sometimes even to counteract attempts as unauthorised use of the informational system. It consists of data (in a network site) and appears to be a legitimate part of the site. Actually, it is isolated and monitored, in which way it seems to contain the information that is valuable for the attacker. Then, the attackers are blocked. The Honeypot is a trickster, actually. There are a production and the research honeypots.
Production ones are really easy to use and can capture only limited information. They are primarily used by the corporations. They are placed inside the production network with the other production servers to improve their security. They are also easy to deploy.
The research Honeypots run to gather information about the motives and the tactics of the black hat community. They do not add direct value to the specific organization because they’re used to research for the threats that organization may face, and also to learn the tactics of the attackers. In that case, they would know what to do if the danger happens.
Although, this Module 06 look quite short, don’t let it trick you! It consists valuable information which is very important to implement in your knowledge you already have. We will talk to you soon in Module 07, but first, you need to prepare for your exam! We wish you luck.
Your exam is called the Security Assessment & Testing Skill Certification Test. The skill level is beginner, there will be 33 questions and you have 49 minutes to finish it.