This document discusses security testing best practices and guidelines. It recommends obtaining authorization through a statement of work before conducting security tests. It also recommends familiarity with the Open Source Security Testing Methodology Manual (OSSTMM) for testing best practices. The document notes some legal issues to be aware of regarding computer abuse laws and restrictions on public scanning.

1. SENG8060
SecurityTesting
Fall 2021

2.  Obtain authorization through a Statement ofWork
 The above still applies if you're testing your own company unless
your job description clearly defines this activity in the job
description
 Any security consultant should be familiar with the Open Source
SecurityTesting Methodology Manual (OSSTMM), which provides
best practices for these situations.
 You may run into problems with certain Internet Service Providers
(ISP) while running your scans
2 of 29

3.  Many countries and states within USA have their own computer abuse
laws
 Some are more extreme than others.
 Does port scanning damage networks?
 It's rare, but it does happen
 Depends on the tool and the infrastructure mostly
 Can I scan in a public space?
 No, you shouldn't
 If it ever gets escalated and it correlates back to you, you are at the mercy of
people who likely don't understand the nature or intent of the activity
3 of 29

4.  When a commercial entity does one of the following things
without your consent (not a comprehensive list):
 Transmission of electronic messages, to an electronic address
▪ This includes emails, social networking accounts and text messages
 Modification of the transmission of data in an electronic message,
which results in the message being delivered to a different
destination
 Installing computer software
 Collecting or using electronic addresses
4 of 29

5.  Known informally as the "Access Act" or formally, "C-13"
 In summary: Canadians may be watched by the government, and internet
history and activity preserved based on "suspicion"
 Police and Public Officer Preservation Demands and Orders For Data
 Judicially Authorized Preservation Demands and Orders for Data
 Orders to KeepThings Secret, Immunity from Civil or Criminal Prosecution of
those that Produce, Criminal Consequences for Failing to Do So
 Warrants forTracking Devices,Transactions, andThings
5 of 29

6.  Section 342.1: Unauthorized use of a computer:
https://laws-lois.justice.gc.ca/eng/acts/C-46/section-342.1.html
 Section 430: Mischief
https://laws-lois.justice.gc.ca/eng/acts/C-46/section-430.html
 Section 184: Interception
https://laws-lois.justice.gc.ca/eng/acts/c-46/section-184.html
6 of 29

7.  Scope
 Objectives
 Background
 Requirements
 Accepted Risks
 Etc.
7 of 29

8.  Lives can be lost
 Economies can be damaged
 Privacy is often compromised
 The effects of a security breach can vary
 Can have a significant impact
 Software developers have a responsibility to observe numerous
best practices, including those that promote security of data, and
the appropriate hardening of applications
8 of 29

9.  Physical
 Electronic
 Procedural
 Obscurity
 System security should not depend on the secrecy of the implementation
or its components.
 And more…
9 of 29

10.  Does the organization have effective policies that promote,
and enforce strong security?
 Consider the problem of locking your PC when you leave your desk
for coffee
 Clean desk policy (CDP)
 Password management
 In a healthy, corporate culture, security is seen as a necessary,
beneficial goal
10 of 29

11.  A person or event that seeks intentionally or unintentionally
to cause harm
 Natural disaster
▪ Tsunami, earthquake, blizzard, hurricane, flooding, etc.
 Hostile actor
▪ Organized crime, corporate espionage, hostile nations, terrorism
 Disgruntled employees, former employees
 Untrained users, lax administrators
11 of 29

12.  A weakness in a network, software or system that can be
taken advantage of by aThreat Agent.
 Unlocked doors
 Exchange of unencrypted login information
 Susceptibility to buffer overflow
 Susceptibility to SQL injection
 Lack of procedures and training
 Lack of proper equipment (fire suppression, fail-over, etc.)
12 of 29

13.  A process that allows aThreat Agent to take advantage of a
Vulnerability.
 Malware
 Phishing e-mails
 Hijacked Websites
 Ransomware
 SQL Injection
 Cross-Site Scripting
 Many more
13 of 29

14.  Strategic – High-level and long-term goals or policies of the
organization
 Operational – Mid-term functional plans that define and focus
on procedures for the entire organization
 Tactical – 'Keyboard' level, often reactionary processes or
instructions that help accomplishOperational and Strategic
goals
14 of 29

15.  Protection against malice, mistakes and mischance
 Mitigating against theft, fraud, destruction or disruption
 Security is a risk management business
 Loss of time, money, privacy, reputation or advantage
 Insurance Model
 Balance costs against risk of loss
15 of 29

16.  What is a principle?
 A fundamental truth or proposition serving as the foundation for
belief or action
 What is a security design principle?
 A declarative statement made with the intention of guiding security
design decisions in order to meet the goals of a system
16 of 29

17.  There are many, many different sets of security design
principles provided by numerous entities.OWASP, NIST,
NCSC
 https://www.owasp.org/index.php/Security_by_Design_Princi
ples
 The OpenWeb Application Security Project (OWASP) is a
worldwide not-for-profit charitable organization focused on
improving the security of software
17 of 29

18. 1. Minimize attack surface area
2. Establish secure defaults
18 of 29

19. 3. Least privilege
4. Defense in depth
19 of 29

20. 5. Fail securely
6. Don't trust services
20 of 29

21. 7. Separation of duties
8. Avoid security by obscurity
21 of 29

22. 9. Keep security simple
10. Fix security issues correctly
22 of 29

23.  A widely used benchmark for
evaluating the security of information
systems
 Meant to guide policies for information
security within an organization
23 of 29

24.  Authorization, related to privacy
 Ensuring only the proper people have
access
 Many methods
 Username/Password
 AccessControl
 Encryption
 Etc.
24 of 29

25.  Ensuring the information in use is correct
 Data integrity
 Data has not been changed
inappropriately
 May be accidental
 May be deliberate
 Backups often essential
25 of 29

26.  The ability to access a computer resource
 Importance ranges greatly depending on
domain
 Library resource
 Hospital system
 An unavailable resource can impact
security in other areas
 Redundancy and failover are key
26 of 29

27.  Effort can be divided into two distinct
areas
 Prevention
 Stop before it begins
▪ Username/Password
 Detection
 Alert once it has occurred
▪ Burglar alarm
27 of 29

28.  CIA is heavily dependant on the domain
requirements of a system
 What is "appropriate" or "adequate"
 The balance between prevention and
detection
28 of 29

29.  Any questions?
29 of 29