A Brief Summary Of Technical Assessment Techniques NIST SP 800 115
Testing and examination techniques are used to evaluate the security status of the organization’s system and networks.NIST SP 800-115 described the thirteen assessment techniques under three main categories. As we covered the outline of the technical assessment techniques in the blog, “A Brief Summary Of NIST SP 800-115 – Information Security Testing And Assessment”, we posted this blog to address, a brief summary of those technical assessment techniques, which are depicted in the following figure:
1. Documentation Review
It determines if the technical factors of the policies & procedures are comprehensive and current. These documents offer the basement for the security posture of the organization. The documents to review to ensure technical completeness and accuracy includes:
- Security architecture, policies, and requirements
- Standard operating procedures
- System security plans & authorization agreements
- Memos of agreement and understanding for system interconnections
- Incident Response Plans
The documentation review can determine the weakness and gaps, which could root to improperly or missing implemented security controls. It ensures that organization’s security controls are applied properly. The outcome of this technique can be used to enhance other examination and testing techniques.
2. Log Review
Determines whether the security controls are recording the proper details and of the enterprise is followed by the log management policies. Audit logs, a source of historical details can be utilized to support, evaluate that the system is functioning, based on the established policies.
The following examples are log information, which may be helpful during technical security assessments:
- System or authentication server logs may comprise successful / failed authentication attempts.
- System logs may comprise system & service startup & shutdown details, file accesses, installations of unlicensed software, security policy changes, file accesses, privilege use and account changes.
- Intrusion detection & prevention system logs may comprise malicious action and inappropriate use.
- Antivirus log may comprise update failures & other signs of outdated signatures & software.
Assessors can manually review the logs or review with automated audit tools to generate customized reports, to summarize log contents & track them to perform certain assessment activities.
3. Ruleset Review
A ruleset is defined as the collection of signatures or rules, which network traffic /system activity is equated against to identify what action to accomplish. Ruleset review involves ensuring comprehensiveness as well as determine weakness and gaps in the security devices. This technique can also reveal inefficiencies, which negatively influence the performance of the ruleset.
The following table shows the rulesets to review and the types of checks conducted in the ruleset:
4. System Configuration Review
Includes the process of determining vulnerabilities in the security configuration controls like systems not been configured or hardened based on security policies. This technique will uncover unwanted services & applications, improper logging & backup setting and improper account & password settings.
Assessors can use manual review techniques to evaluate the security setting and compare them with suggested setting checklists. SCAP (Security Content Automation Protocol) and other tools are available to apply certain standards to facilitate automated vulnerability management, policy compliance evaluation, and measurement. It is recommended to prefer automated checks whenever feasible since they can be completed quickly and offer consistent & repeatable results.
5. Network Sniffing
This passive technique can monitor network communication, evaluate header & payloads and decodes protocols. The main reason that encourages the use of network sniffing are:
- Capturing & replaying network traffic
- Identifying inappropriate and unauthorized activities
- Performing passive network discovery
A sniffer is a tool that is required to connect to the network to perform network sniffing. Sniffers can be deployed at locations like:
- At the perimeter for assessing traffic entering & exiting the network
- Behind IDSs/IPSs for determining whether the signatures are triggering & being responded
- Behind firewalls for assessing whether the rulesets are properly filtering the traffic
6. File Integrity Checking
Offer a chance to determine that the files in the system have been altered computing & keeping a checksum and creating a file checksum catalog or database. This capability is generally added to any kind of commercial host-based IDS. This technique is effective when the files of the system are evaluated with a reference database that has been created using a secure system. To ensure the security of the reference database, it should be kept offline. It is recommended to use SHA-1 cryptographic checksum for this technique to ensure the data integrity.
Target Identification & Analysis Techniques
7. Network Discovery
This technique includes a number of methods that discover responding as well as active hosts on the network, determine weakness and aware how the network functions. Both passive or examination and active or testing techniques available for determining devices on the network.
- The passive techniques utilize a network sniffer to analyze network traffic and track the active hosts’ IP address to report, which OS have been determined and which ports are in routine on the network.
- The active techniques send different sorts of network packers like ICMP (Internet Control Message Protocol) pings to implore responses from the network hosts.
8. Network Port & Service Identification
It uses a port scanner to determine network ports & service functioning on the active hosts and the application, which is running each determined service. Enterprises should perform network port & service identification to determine the hosts if this hasn’t already been achieved by other ways and flag possibly vulnerable services. This detail can be utilized to identify targets for the penetration testing. Some scanners can support determine the application running on a certain port via a process known as service identification.
9. Vulnerability Scanning
Similar to network port & service identification, this technique determines hosts as well as host attributes, but it also tries to determine vulnerabilities instead of depending on the human understanding of the scanning outcomes. Several vulnerability scanners are packed to receive the outcome from network port and service identification that lowers the amount of effort required for vulnerability scanning. It can support to identify missing patches, outdated software versions, misconfiguration and evaluate compliance with, or variations from the security policy of an enterprise.
10. Wireless Scanning
Organization today are required to test as well as secure their organizational wireless environment. The wireless scanning techniques can support organizations discover corrective actions to address risks caused by wireless enabled technologies. It comes in following scanning techniques:
Passive Wireless Scanning - Passive Scanning needs to be performed frequently to complement security measure of the wireless. Since the wireless scanning tools applied to perform passive scans not transmitting data and not affecting the functioning of the deployed devices, they stay undetected by the malicious users.
Active Wireless Scanning - Active scanning builds on the details gathered during passive scans, & tries to link to the identified device as well as conduct the vulnerability related or penetration testing. Enterprise should be vigilant while conducting an active scan to ensure they don’t unintentionally scan devices on neighbouring enterprise, which are within their that range.
Wireless Device Location Tracking -It is important to attempt to locate the doubtful devices while performing wireless scanning. Once the rogue devices are identified, the security person should handle the situation based on the certain policies and procedures – such as reconfiguring it, shutting it or removing it completely. If the devices require being removed completely, the security personnel should track the transmission and location of devices to evaluate its activities before it’s confiscated.
Bluetooth Scanning - Enterprises, which require checking compliance with the security requirements of Bluetooth, passive scanning for the Bluetooth-activated wireless devices must be performed to analyze potential presence & activity.
Target Vulnerable Validation Techniques
11. Password Cracking
The process of recuperating passwords from the password hashes kept in a system or transferred over networks. It is generally conducted during assessment processes to determine accounts that have weak passwords. It is conducted on hashes, which are intercepted by the network sniffer during being transmitted over the network or obtained from a target system. Once the hashes are acquired, a password cracker rapidly creates additional hashes until the assessor stops the cracking attempt or a match is determined. This technique is used to ensure the policy compliance by comparing acceptable password composition.
12. Penetration Testing
Includes launching real attacks on the data and systems, which uses techniques and tools commonly utilized by hackers to determine methods for avoiding the security aspects of an application, network, or system.
Penetration Testing Phases
Four phases of the penetration testing are:
1. Planning Phase – Rules are determined, management approval gets confirmed & documented, and testing objectives are set. No actual testing happens in this phase.
2.Discovery Phase - Includes two phases.
- Begins the actual testing and comprise information gathering & scanning.
- Includes vulnerability analysis that comprises comparing the applications, services and OS scanned host opposed to vulnerability database and testers knowledge on vulnerabilities.
3. Attack Phase – Process of validating previously determined vulnerabilities by tackling to exploit them.
4. Reporting Phase – Happens simultaneously with the three phases of this technique. The report describes determined vulnerabilities, provide a risk rating and offer guidance to mitigate the determined weaknesses.
Penetration Testing Logistics
The scenario of penetration testing should focus mainly on locating & targeting an exploitable weakness in the design & implementation of the system, application, or network. The test must replicate the most damaging and most likely attack patterns.
13. Social Engineering
Involves testing the human element & user awareness regarding the security factors to reveal the weakness in the user behaviors like failing to obey standard procedures. It can be conducted via analog and digital. The results of this testing are applied to enhance the security aspects of the enterprise. Testers are required to produce a thorough final report that includes both successful & unsuccessful tactics used in order to support enterprise to adapt their training programs in terms of security awareness.
The following table illustrates the capabilities of the security assessment techniques and baseline skillset required.
Hope the above summarization of assessment techniques can help you in processing the assessment methodologies and leveraging the assessment purposes.
Hack2Secure is as one of the few global vendors with capability to deliver End-to-End Information Security programs viz Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. Connect with us to explore more.