6_security assessment and testing

[rainit2006]

[rainit2006]

[rainit2006]

SOC報告

Service Organization Controls (SOC) are auditing standards for service organizations, defined in the American Statement on Standards for Attestation Engagements (SSAE) 16 and the International Computing Centre’s (ACC) International Standard on Assurance Engagements (ISAE) No. 3402.

SOCとは「Security Operation Center 」の略称であり、24時間365日体制でネットワークやデバイスを監視し、サイバー攻撃の検出や分析、対応策のアドバイスを行う組織である米国公認会計士協会（AICPA）では、System and Organization Controls(SOC)として、業務受託会社(Service Organization)における内部統制保証報告やサイバーセキュリティに関する内部統制保証報告の枠組みを定義しています。

AICPAでは、「SOC for Service Organization」として、業務受託会社（アウトソーシング企業）向けに3つの内部統制の保証報告の枠組み、SOC1、SOC2およびSOC3を定めています。

SAS 70

Statement on Auditing Standards No. 70: Service Organizations (SAS 70) was an early standard for an audit that is carried out by a third party to assess the internal controls of a service organization. It was originally intended to assess financial controls, but has since been expanded by organizations to ensure that their service providers are providing the necessary protection of digital information.

SAS70とは、米国監査基準第70号と呼ばれるもので、米国公認会計 士協会（AICPA）の監査基準委員会が定めた、アウトソーシング受託企業の内部統制の有 効性を評価するための監査基準です。 SAS70で作成される報告書には、Type IとType IIの2種類あります 。 【Type I】委託業務に関する内部統制の整備状況について 【Type II】Type Iに加えて、一定期間内の内部統制の運用状況の有効性を評価するもの

SIEM

SIEM: “Security Information and Event Management”

[rainit2006]

变异测试（mutation testing）

Mutation testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or if it fails. This technique is used to design and test software tests through mutation.

Mutation testing とは、プログラムに対するテストケースが十分であるかを測定する手法です。テスト対象のプログラムを機械的に変更してバグを埋め込み、テストがちゃんと失敗するかどうかを調べます。バグのあるプログラムをテストするので、テストの失敗はバグを検出できたことを意味します。さまざまなバグを作り出してテストを行い、バグの検出率によってテストケースの十分さを測定します。

manual code review

A manual code review, which is performed by humans who review code line by line, is the best option when it is important to understand the context and business logic in the code

fuzzing

• Generational fuzzing relies on models for application input and conducts fuzzing attacks based on that information.
• Mutation-based fuzzers are sometimes called “dumb” fuzzers because they simply mutate or modify existing data samples to create new test samples. Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input.

tests

• Statement coverage tests verify that every line of code was executed during the test.
• Branch coverage verifies that every if statement was executed under all if and else conditions.
• Condition coverage verifies that every logical test in the code was executed under all sets of inputs.
• Function coverage verifies that every function in the code was called and returns results.

Fagan testing

Fagan testing is a detailed code review that steps through planning, overview, preparation, inspection, rework, and follow-up phases. The most formal code review processes, known as Fagan inspections, follow a rigorous review and testing process with six steps:

1. Planning
2. Overview
3. Preparation
4. Inspection
5. Rework
6. Follow-up

[rainit2006]

Nikto

A open source web server scanner.

Metasploit

攻撃コードの作成、実行を行うためのフレームワークソフトウエアである。 The Metasploit automated system exploitation tool allows attackers to quickly execute common attacks against target systems.

zzuf

zzuf is a fuzzing tool。 Fuzzing是模糊测试，顾名思义，意味着测试用例是不确定的、模糊的。Fuzzing技术本质是依赖随机函数生成随机测试用例，随机性意味着不重复、不可预测，可能有意想不到的输入和结果。 zzuf是一个透明的应用程序输入模糊器。 它的工作原理是截取文件操作并更改程序输入中的随机位。zzuf的行为是确定性的，使得它很容易再现错误。

sqlmap

sqlmap is a SQL injection testing tool

OpenVAS

OpenVAS is an open-source vulnerability scanning tool that will provide a report of the vulnerabilities that it can identify from a remote, network-based scan.

[rainit2006]

Syslog

Syslog is a widely used protocol for event and message logging.

Windows systems generate logs in the Windows native logging format. To send syslog events, Windows systems require a helper application or tool. Enterprise wireless access points, firewalls, and Linux systems all typically support syslog.

flows, network flows

Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management.

misuse

Misuse case diagrams use language beyond typical use case diagrams, including threatens and mitigates.

[rainit2006]

NIST 800-53A

NIST 800-53A, assessments include four components.

Specifications

Specifications are the documents associated with the system being audited. Specifications generally include policies, procedures, requirements, specifications, and designs.

Mechanisms

Mechanisms are the controls used within an information system to meet the specifications. Mechanisms may be based in hardware, software, or firmware.

Activies

Activities are the actions carried out by people within an information system. These may include performing backups, exporting log files, or reviewing account histories.

Individuals

Individuals are the people who implement specifications, mechanisms, and activities.

NIST 800-137 Information Security Continuous Monitoring (ISCM)

NIST SP 800-137 outlines the process for organizations that are establishing, implementing, and maintaining an ISCM as define, establish, implement, analyze and report, respond, review, and update.

[rainit2006]

Monitoring

• Synthetic monitoring uses emulated or recorded transactions to monitor for performance changes in response time, functionality, or other performance monitors.
• Passive monitoring uses a span port or other method to copy traffic and monitor it in real time. Passive monitoring only works after problems have occurred because it requires actual traffic.
• Real user monitoring (RUM) is a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior. RUM is often used as part of a predeployment process using the actual user interface.

[rainit2006]

Bluetooth active scans

Bluetooth active scans can determine both the strength of the PIN and what security mode the device is operating in. Unfortunately, Bluetooth scans can be challenging due to the limited range of Bluetooth and the prevalence of personally owned Bluetooth enabled devices. Passive Bluetooth scanning only detects active connections and typically requires multiple visits to have a chance of identifying all devices.

Passive scanning

Passive scanning can help identify rogue devices by capturing MAC address vendor IDs that do not match deployed devices, by verifying that systems match inventories of organizationally owned hardware by hardware address, and by monitoring for rogue SSIDs or connections.

Authenticated scans

Authenticated scans use a read-only account to access configuration files, allowing more accurate testing of vulnerabilities.

What is the difference between authenticated scan and unauthenticated scan? The difference is that authenticated scans allow for direct network access using remote protocols such as secure shell (SSH) or remote desktop protocol (RDP). An unauthenticated scan can examine only publicly visible information and are unable to provide detailed information about assets.

[rainit2006]

Key risk indicators

Key risk indicators are used to tell those in charge of risk management how risky an activity is and how much impact changes are having on that risk profile. Identifying key risk indicators and monitoring them can help to identify high-risk areas earlier in their lifecycle.

[rainit2006]

CPE, CVE, CWE

The Common Platform Enumeration (CPE) component of SCAP provides a consistent way to refer to operating systems and other system components. The Common Vulnerabilities and Exposures (CVE) component provides a consistent way to refer to security vulnerabilities. The Common Weaknesses Enumeration (CWE) component helps describe the root causes of software flaws. The Open Vulnerability and Assessment Language (OVAL) standardizes steps of the vulnerability assessment process.

CPEは、米国政府が推進している情報セキュリティにかかわる技術面での自動化と標準化を実現する技術仕様SCAP(Security Content Automation Protocol)の構成要素のひとつです。CPEは、情報システムを構成する、ハードウェア、ソフトウェアなどを識別するための共通の名称基準を目指しています。 CPE名はcpe：/{種別(ハード/OS/アプリケーション)}：{ベンダ名}：{製品名}：{バージョン}：{アップデート}：{エディション}：{言語} で構成される。

CVE (Common Vulnerabilities and Exposures): 共通脆弱性識別子。各脆弱性にユニークなCVE-IDが割り振られる。CVE-IDは CVE-西暦-連番の形式で設定される。脆弱性の命名と概要情報の登録のみを行い、脆弱性の詳細説明などは後述の脆弱性情報データベース(NVD)に委任する。

JVN (Japan Vulnurability Notes): 日本で使用されているソフトウェアに対する脆弱性情報リスト。原則として、CVEと紐付けられる。日本人が利用する前提なので、日本語で提供される。

CWE (Common Weakness Enumeration): 共通脆弱性タイプ一覧。脆弱性の種類を一覧化するためのプロジェクト、およびそのリスト。CWEごとにカテゴリ(Category),抽象度(Weakness)などが設定される。

CCE(Common Configuration Enumeration): 共通セキュリティ設定一覧。コンピュータにおけるセキュリティ設定項目ごとに番号をつける。これによりどのセキュリティ項目が設定されているかがリスト化できる。 CCE-番号-チェック番号で構成される。

NVD (National Vulnurability Database): CVEに登録された脆弱性の詳細情報を提供するデータベース。米国にある。CVSSによる採点を行っている。

OVAL(Open Vulnerability and Assessment Language): セキュリティを検査するための言語。XMLで記載される。脆弱性の確認作業を自動化できる。

CVSS(Common Vulnerability Scoring System): 情報システムの脆弱性に対する汎用的な評価指標。状況に応じてバージョンアップされる。現在の最新はversion3。