Information Security Testing And Assessment NIST SP 800 115
In today’s world, security is not an extravagant, but a complete necessity. Most organizations find severe to perform adequate information security testing and assessment to determine gaps in their environment, which create risk. Keeping this in mind, here we present a brief summary of NIST SP 800-115 – Information Testing and Assessment. This document aims to offer guidelines for enterprises regarding planning & conducting technical information security assessments and testing, analyzing findings & building mitigation strategies.
Security Testing And Examination Overview
Several accepted methodologies are available for performing various kinds of information security assessments. The methodology should comprise at least three important phases. They are as follows:
1. Security Assessment Planning
Proper Planning is essential for the successful security assessment and it comprises the following actions:
- Developing A Security Assessment Policy – Enterprise should develop this policy to offer guidance and direction for their security assessments.
- Prioritizing And Scheduling Assessments – Enterprise should determine which systems should experience technical assessments & how frequent these assessments should be completed. The prioritization depends on expected benefits, system categorization, application regulations and scheduling requirements.
- Selecting & Customizing Techniques – After determining the assessment objectives, the enterprise should choose the technique classes to be utilized to acquire information, which supports those objectives & certain techniques within the selected class.
- Assessment Logistics – It includes determining entire resources needed for performing the assessment, needed software and hardware testing tools and the environment for which testing is performed. It can be addressed by the following elements:
- Assessor Selection & Skills
- Location Selection
- Technical Tools and Resource Selection
- Assessment Plan Development – An assessment plan offers accountability and structure by documenting the actions planned for the assessment, with other associated information.
- Legal Consideration – A validation of potential legal anxieties for an assessment must be addressed before beginning an assessment.
2. Security Assessment Execution
During this phase, vulnerabilities are determined by the techniques and methods decided in the planning phases & determined in the ROE or assessment plan. The key points to focus on this phase are as follows:
- Coordination – Throughout the assessment, the assessor requires to coordinate with different entities of the enterprise.
- Assessing - It is suggested that the assessors frequently review the ROE or plan during the assessment.
- Analysis – Enterprise should conduct an analysis to determine the causes of vulnerabilities, categorize vulnerabilities and identify false positives.
- Data Handling – Enterprise should guarantee proper documentation of needs for data handling in the ROE or assessment plan and obey to their policies about the system vulnerabilities handling. Suggested methods for data handling are Data Collection, Data Storage, Data Transmission, and Data Destruction.
3. Post Testing Activities
Involves the act of translating the findings identified from execution phase into actions, which will enhance security. Steps involved in this phase are:
- Mitigation Recommendation – After the completion of entire testing capabilities, it is essential to develop mitigation recommendations (which includes the result of the root cause analysis) for each finding.
- Reporting – Once the analysis has been completed, a report must be created, which identifies the network, system, and organization’s vulnerabilities & their recommended mitigation activities.
- Remediation/Mitigation – Enterprise may consider building a process or strategy for applying a plan to acceptable remediate or mitigate the risk.
Technical Assessment Techniques
Myriads of technical security testing & examination techniques available that can be applied to evaluate the security position of networks and systems of organization. The commonly used assessment techniques are grouped into the following three categories:
1. Review Techniques
It examines the applications, systems, policies & procedures to determine security vulnerabilities.
The common review techniques are described in the following:
- Documentation Review – Determines whether the technical factors of policies & procedures are up-to-date and comprehensive. It can discover the weakness and gaps, which could lead to improperly implement or missing security controls. It doesn’t guarantee that security controls are applied properly instead ensures the guidance and direction available to support security infrastructure.
- Log Review - Determines whether the security controls are recording the proper details and of the enterprise is followed to the log management policies. Audit logs, a source of historical details can be utilized to support evaluate that the system is functioning based on the established policies.
- Ruleset Review – A ruleset is defined as the collection of signatures or rules, which network traffic /system activity is equated against to identify what action to accomplish. Ruleset review involves ensuring comprehensiveness as well as determine weakness and gaps in the security devices.
- System Configuration Review – Includes the process of determining vulnerabilities in the security configuration controls like systems not been configured or hardened based on security policies. SCAP (Security Content Automation Protocol) is a method for applying certain standards to facilitate automated vulnerability management, policy compliance evaluation, and measurement.
- Network Sniffing - This passive technique monitors network communications, examines headers & payloads to flag details of interest and decodes protocols. In addition to this, network sniffing can also be applied as the target identification & analysis techniques.
- File Integrity Checking – Offer a chance to determine that the files in the system have been altered computing & keeping a checksum and creating a file checksum catalog or database. This capability is generally added to any kind of commercial host-based IDS.
2. Target Identification & Analysis Techniques
It aims to identify the active devices as well as their related services and ports, & evaluating them for possible vulnerabilities.
- Network Discovery – Uses various methods to determine active as well as responding hosts on the network, determine weakness, & learn the operation of networks. For discovering devices on the network, it uses both passive or examination and active or testing techniques. It also detects rogue or unauthorized devices functioning of the network.
- Network Port & Service Identification – It uses a port scanner to determine network ports & service functioning on the active hosts and the application, which is running each determined service. Enterprises should perform network port & service identification to determine the hosts if this hasn’t already been achieved by other ways and flag possibly vulnerable services. This detail can be utilized to identify targets for the penetration testing.
- Vulnerability Scanning - It can support to identify missing patches, outdated software versions, misconfiguration and evaluate compliance with, or variations from the security policy of an enterprise.
- Wireless Scanning – Organization today are required to test as well as secure their organization wireless environment. The wireless scanning techniques can support organizations discover corrective actions to address risks caused by wireless enabled technologies. It comes in following scanning techniques:
- Passive Wireless Scanning
- Active Wireless Scanning
- Wireless Device Location Tracking
- Bluetooth Scanning
3. Target Vulnerable Validation Techniques
Explores the existence of the vulnerabilities using the details gathered from target identification & analysis.
- Password Cracking – Process of recuperating passwords from the password hashes kept in a system or transferred over networks.
- Penetration Testing – Includes launching real attacks on the data and systems, which uses techniques and tools commonly utilized by hackers to determine methods for avoiding the security aspects of an application, network, or system.
- Social Engineering – Involves testing the human element & user awareness regarding the security factors to reveal the weakness in the user behaviors like failing to obey standard procedures. It can be conducted via analog and digital.
Comparing Test and Examination
In most cases, a compilation of examination and testing techniques can offer a more appropriate picture of security.
Tests can be conducted from several viewpoints. The two common viewpoints are:
1. External & Internal – In the view of how easily the malicious insider or external hackers successfully compromise the system security. External testing aims to reveal the vulnerabilities, which could be exploited by the external hackers by performing testing from the outside the enterprise’s security parameter. Internal security testing aims to reveal the vulnerabilities, which could be exploited by the internal malicious users and demonstrates the possible damage this kind of attacker could root by the way of working on the internal system and network as well as assuming the trusted user’s identity or an attacker.
2. Overt (White Hat Testing) & Covert (Black Hat Testing) – In the view of previous knowledge that evaluators possess of the victim or victim environment. Overt Security testing involves conducting internal/external testing with the consent and knowledge of the enterprise’s IT staff, facilitating a comprehensive assessment of system or network security position. Covert security testing involves an adversarial approach by conducting tests with the complete knowledge & permissions of upper management instead of using knowledge of the enterprise’s IT staff.
This article presented the outline of the key elements of the security testing and assessment. A comprehensive recommendation and guidelines of each technique. Read More....
Hack2Secure is as one of the few global vendors with capability to deliver End-to-End Information Security programs viz Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. Connect with us to explore more.