There are three main components of security assessment and testing: security tests, security assessments, and security audits. Security tests verify controls are functioning properly through automated and manual tests. Security assessments perform comprehensive reviews of systems and networks to identify risks and recommend mitigations. Security audits systematically evaluate controls to demonstrate effectiveness to third parties. Other topics covered include penetration testing, vulnerability assessments, code reviews, logging, and different testing methods.

1. Security Assessment and
Testing

2. Components
• There are three main components
• Security Test
• Security Assessment
• Security Audit

3. Security Testing
• Verifies that a control is
functioning properly
• Predominantly are automated
tests, while some tests may
required human analysis
• Automated scans, tool-assisted
Penetration Testing, manual
attempts to break the controls
• Performed by organization’s
security staff
• Results are meant for internal use
only
• Designed to evaluate controls with
an eye towards finding potential
improvements
Security Assessment
• It is comprehensive security review
of a system, application or network
• Risk assessment is performed, and
mitigation strategies are
recommended
• Assessment includes Security
Testing
• The output of the program is a
assessment report to management
outlining the outcomes and the
recommendations
• Predominantly performed by
organization’s security staff
• Results are meant for internal use
only
• Designed to evaluate controls with
an eye towards finding potential
improvements
Security Audit
• Systematic Evaluations performed
with the purpose of demonstrating
the effectiveness of controls to a
third-party
• It is performed by independent
auditors
• Auditors provide an impartial,
unbiased view of the state of
security controls.
• The reports are intended for BoD,
government regulators, or other
third-parties.

4. Security Audit Types
• Two Types of Audits
Internal Audit
• Performed by an organizations internal staff
• The reports are typically intended for
Internal Audience
• Disadvantage is conflict of Interest and
hidden agenda
External Audit
• Performed by third-party auditors
• Reports are intended for third-party stake
holders
• They are unaware of internal dynamic and
politics hence they may not have any hidden
agendas
• Major disadvantage is the cost
• Sometimes lack of internal working
knowledge may translate to longer time to
get oriented and be able to perform the test
• Signing a NDA is a pre-requiste

5. Audit Strategy
• Establishing a clear set of goals is the most important step for
planning a security audit.
• Audit can be driven by the following factors
• Compliance requirements
• Significant changes to the architecture
• New developments in threat facing the organization
• The scope of the audit should be determined in coordination
with business unit managers
• The business unit managers should be included early in the
audit planning process and should be engaged throughout the
Aduit lifecycle

6. Audit process
Goal
• Determine the goal of the audit
Involve Stake holders
• Bring in Business unit managers at
the earliest stage possible
• It ensures the needs of business are
identified and addressed
Scope
• Determine the scope of the
assessment
Audit Team
• Choose the right audit team
• Choose whether the team will consist
of internal or external personnel,
depending on the goals, scope,
budget and available expertise
Plan the Audit
• Ensure are all goals are met on time
and budget
Conduct the Audit
• Stick to the plan and document
deviations
Documentation
• Document the results
• Key requirement that should start at
the planning process and continue all
the way to the results
Communicate
• Communicate to the right leaders in
order to achieve and sustain a strong
security posture

7. Service Organization Controls (SOC)
• SAS 70 has got transformed in SSAE 16/
• Developed by American Institute of Certified Public Accountants
(AICPA)
• European equivalent is ISAE 3402
• Three kinds of SOC reports are there
• SOC 1 : Pertains to Financial controls
• SOC 2: Pertains to security, availability, confidentiality, Integrity, Process and
Privacy (collectively called Trust Services)
• SOC 3: Pertains to security, availability, confidentiality, Integrity, Process and
Privacy (collectively called Trust Services)
• SOC 2 provides detailed data related to the controls and is not
intended for public use
• SOC 3 is just a “Seal of approval” and does not contain the detailed
results, predominantly placed in service provider websites and
marketing collateral

8. Vulnerability Assessment / Testing
• Vulnerability Assessment must be done by professionals with deep security
experience and highest level of trust
• Before carrying VA, written authorization from management is necessary. This
protects the tester against prosecution
• Goals of VA are
• Evaluate the true security posture
• Identify as many vulnerabilities as possible
• Test how systems react to certain circumstances and attacks
• Vulnerability assessment results are “snapshot in time”
• Because they are point-in-time snapshot, these assessments should be done
regularly
• Low-priority, better-protected and less-at-risk environments can be scanned once
or twice an year
• High-priority, more vulnerable targets, should be scanned nearly continuously
• If automatic scans are used, it is recommended to use more than one tool.
• Scans should be run by different experts (time to time)

9. Vulnerability Assessment Types
• Personnel Testing
• Identifying vulnerabilities in standard employee practices,
demonstrating social engineering attacks
• Physical Testing
• Reviewing facility and perimeter protection mechanisms
• Performing physical security vulnerability assessment
• System and network testing
• 3 main categories are there
• Network discovery scan
• Network vulnerability assessment
• Web Application vulnerability scan

10. Network Discovery Scan
• Searching for systems with open ports
• They do not actually probe systems for vulnerabilities
• Some techniques
• TCP SYN Scanning:
• Sends a single packet to each scanned port with the SYN packet set
• If it receives a response back with SYN and ACK flags set, this indicates the port is open at the
sender end.
• This is also called as “half-open” scanning
• TCP Connect Scanning:
• Opens a full connection to remote system on the specified port
• Used when the user running the scan does not have necessary permission to run a half-open
scan
• TCP ACK Scanning
• Sends a packet with ACK flag set, indicating that it is part of an open connection
• Xmas Scanning
• Sends a packet with the FIN, PSH, URG flags set.
• The most common tool used for network discovery scan is nmap

11. Network Vulnerability Scan
• It goes deeper than the discovery scan
• They continue to probe the network for presence of known
vulnerabilities
• These tools contain a database of known vulnerabilities along with
the tests they can perform to identify these vulnerabilities
• Two common problems associated
• False-positive: reporting a vulnerability without have substantial evidence to
prove or reporting mistakenly. It is a nuisance
• False-negative: not identifying a vulnerability and failing to report it as part of
the results. It is a dangerous situation
• Authenticated scans help reduce the False positive/negative results
• Authenticated scans are performed with read-only access to the servers being
scanned.

12. Web Vulnerability Scan
• Special purpose scanners that analyze web applications for
known vulnerabilities
• They can discover vulnerabilities not visible to network
vulnerability scanners
• Its good to run these scans in the following circumstances
• Scan all applications for the first time
• Scan any new application before moving to production
• Scan any modified application before the code changes move to
production
• Scan all applications on a scheduled recurring basis
• PCI recommends web application scans are performed at least
once annually

13. Commonly exploited Vulnerabilities
•Problems that occur at the core of OS; attacker exploiting the vulnerability will have the
most powerful level of control
•Countermeasure: Ensure security patches are tested deployed and verified
Kernel Flaw
•Buffer overrun due to improper bounds verification
•Countermeasure: Good programming language, developer education; automated source
code scanners
Buffer Overflow
•Symbloic link is a stub file that redirects the access to another place; if attacker can
compromise the symbolic link, they may be able to gain unauthorized access
•Countermeasure: programs/scripts must be written to full path to file cannot be
circumvented
Symbolic Links
•Numbers many OS use to represent open files in a process; certain file descriptor numbers
are universal, meaning same thing to all programs
•Countermeasure: Good programming language, developer education; automated source
code scanners and application security testing
File Descriptor attack
•Exists when a design of a program puts it in a vulnerable condition before ensuring that
those vulnerabilities are mitigated
•Counter measure: Good programming language, developer education; automated source
code scanners and application security testing
Race Condition
•Attacks rely on inappropriate access control of some part of the system on which a more
secure part of the system depends
•Countermeasure: File Integrity checkers
File and Directory permissions

14. Penetration Testing
• Goes beyond vulnerability testing and actually tries to exploit the
system
• They require focused attention from trained security professionals
• Its goal is the measure an organizations’ level of resistance to an
attack and to uncover any weaknesses within the environment
• It emulates the same methods attackers would use
• The type of penetration testing should depend upon
• The organization, its security objectives, and the managements’ goals
• The result is a report given to management that describes the
vulnerabilities identified and the severity of those vulnerabilities. IT
also may provide mitigating strategies
• Its critical Senior Management is aware of this and have given
authority to do so

15. Penetration Testing Process
Discovery
• Foot printing
and gathering
information
about target
Enumeration
•Performing
port scans
and resource
identification
methods
Vulnerability
Mapping
•Identifying
vulnerabilities
in the
systems and
resources
Exploitation
•Attempting to
gain
unauthorized
access by
exploiting
vulnerabilities
Reporting
•Reporting the
findings to
Management

16. Penetration/ Vulnerability testing Types
Black box testing
[Zero Knowledge]
• The tester has no prior
knowledge of the internal
design or features of the
system
• It simulates the external
attacker best
• Disadvantage is that it will
probably not detect all
vulnerabilities
• Another disadvantage is that
the testing team may
inadvertently impact
another system
White box testing
[Full Knowledge]
• The tester has complete
knowledge of the internal
system
• Allows test team to target
specific internal controls and
features
• It may yield a more complete
result
• It may not be representative
of an external hacker
Gray box testing
[Partial knowledge]
• Some Information about
internal working is given to
the tester.
• It helps guide their tactics
towards areas we want to
have thoroughly tested
• This approach mitigates the
risks of the other two
models

17. Penetration tests
Blind Tests
• The tester only has
publicly available data to
work with
• The network security team
has prior knowledge of
this test to defend
Double Blind Types
• Also known as stealth
assessment
• It is a blind test to both the
tester as well as the
security team
• It is used to evaluate the
security levels and
responses of the security
team
• It is a realistic
demonstration of the likely
success or failure of an
attack
Targeted
• Involves external and
internal parties carrying
out a focused test on
specific areas of interest

18. Log Review
• Examination of system logs to detect security events or verify effectiveness
of security controls
• The most key requirement for effective log review is the synchronization
across all the log sources
• NTP is the protocol for time synchronization (UDP 123)
• NTP:
• Oldest protocol used in internet
• Time value is sent in a UDP datagram that carries a 64-bit timestamp on port 123
• It’s a client/server architecture, with hierarchical time sources organized into strata
• Stratum 0 is the most authoritative and consists of highly accurate time sources such
as atomic clocks, GPS
• Stratum 1 consists of primary time sources that are directly connected to stratum 0
• Stratum 2 are local network servers that an organization’s NTP server will connect
• Stratum 3 are other local servers and clients
• Nodes on the same stratum can communicate with each other to improve efficiency of
their times

19. Log Tampering Prevention
• Remote Logging:
• Putting a log file into another device will protect from tampering it in a
compromised system
• Simplex Communication:
• Using one way communication between the reporting devices and the central
log repository. Accomplished by severing the “receive” pairs on an Ethernet
cable.
• Data diode ~ physically ensuring one-way path
• Replication:
• Making multiple copies and keeping them in different locations
• Write-once media:
• Using write-once media to prevent unauthorized modifications to log files
• Cryptographic Hash:
• Powerful technique for ensuring unauthorized modifications are easily
noticed.

20. Synthetic Transactions
• Transactions that are initiated by an end-user is called real
transactions
• Automatic script based transaction with expected output is
called Synthetic Transaction
• They allow to systematically test the behavior and performance of
critical services
• They can help test new service mimicking end-user behaviors to
ensure systems work as it ought to
• This is an effective way of testing software from the outside

21. Synthetic Transactions Vs Real User Monitoring
Real User Monitoring Synthetic Transaction
Passive way to monitor real user interactions
with a web application or system
They help in ensuring the user does not get
dissatisfied or encounter a problem
It uses real users instead of scripted
commands
It is based on custom scripts mimicking user
behaviour
It more accurately captures the actual user
experience
They can detect rare occurrences more
reliably than waiting for user actions
It tends to produce noisy data and thus may
require more back-end analysis
Its very predictable and can be regular
because their behaviour is scripted
It lacks the elements of predictability and
regularity, which could mean that a problem
wont be detected during low utilization periods
Synthetic transactions are run against test
code and the output is compared against
expected results, clearly showing mismatches

22. Use Case Testing
• Use case describes the sequence of actions between the user
and the system that result in an expected output
• Use cases are textual but are graphically represented using
Unified Modeling Language (UML)
• Use cases are related to one another in a variety of ways called
associations
• Including another use cases ~ the use case will be always executed
• Extending a use case ~ second use case may or may not be executed
depending on the decision point in the main use case
• Use cases are mainly helpful in determining the normal or
expected behavior of a system rather than in assessing its
security

23. Misuse Case Testing
• Misuse case is a use case that includes threat actors and the actions they want to
perform on a system
• Under UML, threat actors are represented as stick figures with shaded heads and their
actions are depicted as shaded ovals
• The misuse case is meant to threaten a specific portion or legitimate use case of our
system
• Misuse case testing helps to ensure we have effectively addressed each of the risks we
identified and decided to mitigate during risk assessment phase
• Misuse case doesn’t require to include all the possible threats to the system, but it
should include the ones that was decided to be addressed
• It is also referred to as abuse case testing
• They are used by software developers to evaluate the vulnerability of their software to
known risks

24. Code Reviews
• A systematic examination of instructions that comprise a piece of software,
performed by someone other than the author of that code
• It is the foundation of software assessment programs
• It is often also known as “peer reviews”
• It starts with the organization setting the coding standards to be followed
• The preliminary step to code review is to ensure the developer followed the
defined coding standard
• After this step, the reviewer shall check for unneeded functions or procedures
that may lead to “code bloat” ~ which makes it harder to maintain and secure
the application
• Defense programing is a best practice to be adopted by all software
development operations ~ constantly look for opportunities for things to go bad

25. Fagan Code Review Process
• Fagan inspection is the most formal code review process with 6 steps
• Planning
• Overview
• Preparation
• Inspection
• Rework
• Follow-up
• This level of formality is normally found only in highly restrictive environments
where code flaws may have catastrophic impact.

26. Testing Methods
• Static Testing
• Evaluates the security of software without running it
• Usually involves the use of automated tools designed to detect common software flaws, such as
Buffer overflows
• In mature development environments, developers are given access to static analysis tools and
use them throughout the design, build and test process
• Helps developers identify programming flaws and vulnerabilities.
• Static analysis can never reveal logical errors and design flaws
• Dynamic Testing
• Evaluates security of software in a runtime environment and is often the only option for
organizations deploying applications by someone else
• Testers do not often have access to source code
• Dynamic testing can involve the use of synthetic testing
• It is effective for compatibility testing, detecting memory leakages, and identifying dependencies,
and for analyzing software without having to access the software’s actual source code

27. Testing Methods
• Fuzz Testing
• Specialized dynamic testing technique that provides many different inputs to
software to stress its limits and find previously unknown flaws
• Two main categories of Fuzz Testing are
• Mutation (dumb) Fuzzing:
• Takes previous input values from actual operation of the software and manipulates it to
create fuzzed input. It might alter the characters of the content, append strings etc.
• ZZUF tool automates the process of mutation fuzzing
• Generational (intelligent) Fuzzing:
• Develops data models and creates new fuzzed input based on an understanding of the
types of data used by the program

28. Interface Testing
• An interface is an exchange point of data between the system/user
• Interface testing is a systematic evaluation of a given set of exchange points
• The testing should include known good and bad exchanges
• The primary task of interface testing is to build all the test cases ahead of time,
document them, and then insert them into a repeatable and automated test
engine.
• Interface testing is a special case of Integration testing ~ which is the
assessment of how different parts of a system interact with each other

29. Interface Testing Types
• Application Programming Interface (API)
• Offers a standard way for code modules to interact and may be exposed to outside world.
• Developers must test API to ensure they enforce all security requirements
• User Interface (UIs)
• Graphic User Interface and command-line interfaces that provide end-users with the ability
to interact with the software. The test should include reviews of all user interfaces to verify
that they function properly
• Physical Interfaces
• Exists in some applications that manipulate machinery, logic controllers etc.
• Testers should pay careful attention to physical interfaces because of the potential
consequences if they fail

30. Test Coverage Analysis
• It is practically impossible to complete test a software
• Testing professionals conduct Test Coverage Analysis to estimate the degree of
testing conducted against the new software.
• It is computed using the formula
• Test coverage =
• This is a highly subjective calculation
Number of use cases tested
Total number of use cases

31. Account Management
• Compromising privileged users of the system is the
preferred technique for attackers
• Three ways to accomplish:
• Compromise an existing privileged account
• Create a new privileged account
• Elevate the privileges of a regular user account

32. Adding accounts
• Every organization should, at minimum, have acceptable use policy that
specifies what the organization considers acceptable use of the IT resources
made available to the employees
• The AUP is the useful first line of defense
• Testing that all employees are aware of AUP and other applicable policies can
be the first step in auditing user accounts
• The AUP should also dictate the default expiration date of accounts, the
password policy, and the information to which a user should have access.

33. Modifying/Suspending accounts
• Accumulation of access privileges over the life time of an employee in the
organization results in privilege accumulation.
• This is a dangerous practice that gives the employee more privileges than
needed for performing their job function
• Another important practice in account management is to suspend accounts that
are no longer needed
• Account reconciliation is an important function that helps determine dormant
accounts.

34. Business Continuity Plan Testing
• BCP maintenance should be incorporated into change management procedure
• Tests and DR drills should be conducted atleast once a year
• The first exercise should not include all employees rather a small representative
sample of the organization
• People conducting the drills should expect to encounter problems and mistakes

35. BCP Drills
Checklist Test
•Copies of BCP/DR plan
distributed to the
different departments
for review
•This ensures nothing is
taken for granted or
omitted
•Planning team
integrates all changes
to the master plan
•It is also called desktop
or table top test
Structured walk-through
•Representatives from
each department come
together and go over
the plan
•The group reviews the
objective, scope,
assumptions of the
plan
•The group walks-
through different
scenarios of the plan
from beginning to end
to make sure nothing is
left out
Simulation Test
•This test takes a lot of
planning and resources
•All employees
participating in
operational and
support functions come
together to practice a
specific scenario
•It raises the awareness
level of the people
involved
•The drill shall include
only those materials
that will be available in
an actual disaster.
•The test continues upto
the point where
physical migration to
new facility gets
initiated
Parallel Test
•Some systems are
moved to alternate site
and processing takes
place
•The results are
compared with the
regular processing
done at original site
•Ensures specific
systems can function
adequately at alternate
site during disaster
Full-Interruption Test
•Most intrusive to
regular operations
•The original site is shut
down and processing
takes place at the
alternate site
•Recovery team fulfills
its obligations in
preparing the systems
and environments for
the alternate site
•All processing is done
at alternate site
•It should be performed
only after all other tests
are completed
satisfactorily
•Senior mgmt. approval
is needed before
performing this test

36. Security Training and Awareness
• Security training is the process of teaching a skill or set of skills that will allow
people to perform specific tasks better
• Security awareness is the process of exposing people to security issues so
that they may be able to recognize them and better respond to them
• The key measure of security awareness program is the degree to which the
users change their behaviors when presented with a certain situation

37. Social Engineering
• Process of manipulating individuals so that they perform actions that violate the security
policy
• Phishing – the most popular form of social engineering attack conducted through digital
communication
• Spear Phishing – a type of phishing attack that is targeted to a specific group or
individual
• Whaling – specific phishing attack targeting senior executives or individuals
• Drive by download – invisibly redirect the user to malicious distribution server; it is an
automatic attack that is triggered simply by visiting a malicious website.
• Pretexting – social engineering attack over phone

38. Key Performance Indicators (KPI)
• Process by which to measure the performance of security controls and processes
• ISO 27004 deals with KPI metrics
• Some key terms associated with KPI
• Factor: An attribute of the ISMS that can be described as a value that can change over time
• Eg: number of AV alerts or number of investigations conducted
• Measurement: the value of a factor at a particular point in time. This is the raw data
• Eg: 20 AV alerts per day or 15 investigations per month
• Baseline: An arbitrary value for a factor that provides a point of reference or denotes that some
condition is met by achieving some threshold value
• Eg: number of AV alerts per month will not be more than 25, or the number of investigations open for more than 48
hrs should not be more than 10

39. Key Performance Indicators (KPI)
• Some key terms associated with KPI
• Metric: A desired value that is generated by comparing various results with each other or
baseline
• Eg: ratio of false-positives AV alerts to valid alerts per month
• Indicator: An interpretation of one or more metrics that describes an element of the
effectiveness of the ISMS. Indicators are meaningful to management.
• KPIs should be easily understandable to both business and technical audience
and should be aligned with one or more organizational goals

40. Key Performance Indicators (KPI)
• KPI are driven by organizational goals.
• KPI process include
• Choose the factors that can show the state of our security
• Define baselines for some or all factors under consideration
• Develop a plan for periodically capturing the values of these factors
• Analyze and interpret the data
• Communicate the indicators to all stakeholders

41. Key Risk Indicators (KRI)
• KRI tells us where we are in relation to our risk appetite
• They measure how risky an activity is so that leadership can make informed
decisions about the activity
• KRIs are selected for their impact on the decisions of the senior leaders in the
organization
• It is useful to relate them to SLE equations
• KRIs alert us when something bad is likely to happen so that we can change our
behavior and defeat the threat

42. Technical Reporting
• The technical report should be the application of a standard methodology to the
specific system of study
• The raw data and automated reports should be provided in an appendix
• The key elements of a good technical report are
• Threats
• Vulnerabilities
• Probability of exploitation
• Impact
• Recommended actions

43. Executive Summary
• Translate the key findings and recommendations into language that is
approachable and meaningful to the senior leadership
• Goal is to get their attention and execute the desired change
• Multiple approaches can be used
• The Cost approach ~ looks at the cost or acquiring or replacing the asset
• The Income approach ~ considers the expected contribution of the asset to the company’s
revenue stream.
• The Market approach – Determine how much other firms are paying for a similar asset in the
marketplace. It requires a fair amount of transparency in terms of what other organizations
are doing.

44. Karthikeyan Dhayalan
MD & Chief Security Partner
www.cyintegriti.com