Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe.

Published byCharity Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe."— Presentation transcript:

1 Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe

2 Security Testing ● Availability Testing- Luke ● Authentication Testing- Jeff ● Confidentiality Testing- Kevin ● Penetration Testing- Jake ● Integrity Testing- Ryan

3 Availability -Make sure system is available for authorized users when they want to use the system. -Exception of planned minimized maintenance time.

4 MSDN Testing for Availability -“Running an application for planned period of time, collecting failure events and repair times, compare availability percentage to original service level agreement”-MSDN -“Primarily concerned with measuring and minimizing actual repair time. -(MTBF / (MTBF + MTTR)) X 100 (Mean Time Between Failures, Mean Time To Repair)

5 Backup for Failure Backup site on separate server. Test for recovery and appropriate changeover when some system fails. MSDN

6 Database Mirroring Primary Database Secondary Database Website

7 Strategies Should be made an integral part of testing process. Included before code is written (During SDLC). Keep track of tests and bugs in bug tracking software.

8 Authentication Testing Authentication Definition: -To establish as genuine. (Dictionary.com) -Also called Access Control Sources: -“Testing for authentication - OWASP” @ www.owasp.org/index.php/Testing_for_authentication “Security Testing” @ https://en.wikipedia.org/wiki/Security_testing

9 Authentication Testing Test For: 1.Default Credentials 2.Weak Lock-out 3.“Remember Password” Vulnerabilities 4.Authentication Bypasses 5.Weak Security Questions 6.Weak Password Reset Functionality 7.Alternate Channel Weaknesses

10 Authentication Testing Test for Default Credentials: ● Force password change on first usage ● Check code for hard coded passwords used during unit/integration testing Test for Weak Lock-outs ● 3-5 tries maximum ● Lock-out should last a few minutes if not permanent

11 Authentication Testing Test for “Remember Password” Vulnerabilities ● Browsers cache passwords ● Don’t store password in a cookie Test for Bypass of Authentication ● Call for a web page with the application to skip log on ● Unsecure unit execution allows access to secure unit ● User “logs out” --does “Back” button allow access?

12 Authentication Testing Test for Weak Security Questions ● Challenge questions can lead to easy answers-- ● Don’t let users create their own questions Test for Weak Password Reset Functionality ● Is password sent via email? Test Authentication via Alternate Channels ● All platforms must provide equal strength

13 Confidentiality Testing ●Ensure sensitive data can be accessed by those authorized and only by those authorized ●Sensitive data - any data that must be protected in memory, over the network, or in persistent stores

14 Enforcing Confidentiality ●Encryption ●Access Control Lists (ACL)

15 Encryption ●Used to protect sensitive data in a message ●Unencrypted data (plaintext) is converted to encrypted data (ciphertext) and then decrypted to plaintext when needed. ●Data is encrypted with an algorithm and a private cryptographic key. ●Must provide seeds for “random” values that must be cryptographically strong

16 Encryption ●Encryption depends on random private keys ●By nature, computers are not random ○ Pseudorandom number generator (PRNG) ●Detect weak PRNG by inspection ○ What physical events are gathered? ○ Why are these “random”? ○ How are they mixed?

17 Access Control Lists ●List of permissions attached to an object ●Restrictions depend on impact factors ○ How much data could be disclosed? ○ How sensitive is this data?

18 Access Restrictions Access to high security information may involve training on the best practices for keeping data secure. ●Passwords ○ Sony - passwords.xlsx ●Phishing ○ Wall Street - FIN4

19 Penetration Testing ● An attack on a computer system with the intention of finding and exploiting security weaknesses. ● Unlike a simple security assessment or “vulnerability scan,” a penetration test tries to prove (or disprove) real-world attack vectors against a system.

20 Penetration Testing Methods ● May involve automated tools and processes ● But the focus is on the individual or team of testers. o Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies are often vulnerable to the unique nature of the human mind.

21 Reasons for Penetration Testing ● Determine the feasibility of a set of attack vectors. ● Identify high-risk vulnerabilities that result from a combination of multiple low-risk vulnerabilities. ● Identify vulnerabilities that cannot be detected by automated software. ● Assessing the magnitude of potential attack impacts. o How much data can be compromised? ● Testing the ability of network defenders to detect and respond to attacks.

22 Strategies for Penetration Testing ● Hire the right team o The last thing you want after a penetration test is to have no actionable results ● Blackbox vs. Whitebox o Letting the attackers see the code might help them discover weaknesses, but it might also limit their ability to think “outside the box.” ● Schedule Properly o Make sure that the system is free to be unavailable

23 Integrity Testing ● Is to ensure any information received by the system is not altered by unauthorized people during transit. Sources: “Integrity” @ http://searchdatacenter.techtarget.com/definition/integrity http://searchdatacenter.techtarget.com/definition/integrity “Confidentiality, Integrity, & Availability (CIA)” @ http://whatis.techtarget.com/definition/Confidentiality-integrity- and-availability-CIA

24 Possible Sources for a loss in Integrity ● Physical environment of network terminals and servers. ● Access to data. ● Authentication practices. ● Environmental hazards from heat, dust, and electrical surges.

25 Practices to Protect Data Integrity ● Serves can only be accessed by network administrators. ● Cover and lock cables and connectors to protect against tampering. ● Using version control to prevent accidental changes and deletions by authorized users.

26 Other Practices ●Using checksums to verify integrity. ●Backups must be used in order restore affected data. ●Non-Human causes: Ways of detecting power surges, electromagnetic pulse (EMP) and server crashes.

27 Questions? ● Availability Testing- Luke ● Authentication Testing- Jeff ● Confidentiality Testing- Kevin ● Penetration Testing- Jake ● Integrity Testing- Ryan

Download ppt "Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe."

Similar presentations

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.

Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Controls for Information Security

Controls for Information Security
Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.

Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.
Introduction to Network Defense

Introduction to Network Defense
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.

Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Similar presentations

Ads by Google