Software Testing
Essay by review • February 4, 2011 • Research Paper • 7,319 Words (30 Pages) • 2,470 Views
**** Software Testing Techniques ****
There are several different types of security testing. The following section describes each testing technique, and provides additional information on the strengths and weakness of each. Some testing techniques are predominantly manual, requiring an individual to initiate and conduct the test. Other tests are highly automated and require less human involvement. Regardless of the type of testing, staff that setup and conduct security testing should have significant security and networking knowledge, including significant expertise in the following areas: network security, firewalls, intrusion detection systems, operating systems, programming and networking protocols (such as TCP/IP).
The following types of testing are described in this section:
* Network Scanning
* Vulnerability Scanning
* Password Cracking
* Log Review
* Integrity Checkers
* Virus Detection
* War Dialing
* War Driving (802.11 or wireless LAN testing)
* Penetration Testing
Often, several of these testing techniques are used together to gain more comprehensive assessment of the overall network security posture. For example, penetration testing usually includes network scanning and vulnerability scanning to identify vulnerable hosts and services that may be targeted for later penetration. Some vulnerability scanners incorporate password cracking. None of these tests by themselves will provide a complete picture of the network or its security posture.
After running any tests, certain procedures should be followed, including documenting the test results, informing system owners of the results, and ensuring that vulnerabilities are patched or mitigated.
3.1 Roles and Responsibilities for Testing
Only designated individuals, including network administrators or individuals contracted to perform the network scanning as part of a larger series of tests, should conduct the tests described in this section. The approval for the tests may need to come from as high as the CIO depending on the extent of the testing. It would be customary for the testing organization to alert other security officers, management, and users that network mapping is taking place. Since a number of these test mimic some of the signs of attack, the appropriate manages must be notified to avoid confusion and unnecessary expense. In some cases, it may be wise to alert local law enforcement officials if, for example, the security policy included notifying law enforcement.
3.2 Network Scanning
Network scanning involves using a port scanner to identify all hosts potentially connected to an organization's network, the network services operating on those hosts, such as the File transfer protocol (FTP) and hypertext transfer protocol (HTTP), and the specific application running the identified service, such as WU-FTPD, Internet Information Server (IIS) and Apache for the HTTP service. The result of the scan is a comprehensive list of all active hosts and services, printers, switches, and routers operating in the address space scanned by the port-scanning tool, i.e., any device that has a network address or is accessible to any other device.
All basic scanners will identify active hosts and open ports, but some scanners provide additional information on the scanned hosts. The information gathered during this open port scan will often identify the target operating system. This process is called operating system fingerprinting. For example, if a host has TCP port 135 and 139 open, it is most likely a Windows NT or 2000 host. Other items such as the TCP packet sequence number generation and responses to ICMP packets, e.g., the TTL (Time To Live) field, also provide a clue to identifying the operating system. Operating system fingerprinting is not foolproof. Firewalls filter (block) certain ports and types of traffic, and system administrators can configure their systems to respond in nonstandard ways to camouflage the true operating system.
In addition, some scanners will assist in identifying the application running on a particular port. For example, if a scanner identifies that TCP port 80 is open on a host, it often means that the host is running a web server..
Organizations should conduct network scanning to:
* Check for unauthorized hosts connected to the organization's network,
* Identify vulnerable services,
* Identify deviations from the allowed services defined in the organization's security policy,
* Prepare for penetration testing,
* Assist in the configuration of the intrusion detection system (IDS), and
* Collect forensics evidence.
A relatively high level of human expertise is required to interpret the results. The scanning can also disrupt network operations by consuming bandwidth and slowing network response times. However, network scanning does enable an organization to maintain control of its IP address space and ensure that its hosts are configured to run only approved network services.
Network scanning results should be documented and identified deficiencies corrected. The following corrective actions may be necessary as a result of network scanning:
* Investigate and disconnect unauthorized hosts,
* Disable or remove unnecessary and vulnerable services,
* Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts (e.g., host level firewall or TCP wrappers), and
* Modify enterprise firewalls to restrict outside access to known vulnerable services.
3.3 Vulnerability Scanning
Vulnerability scanners take the concept of a port scanner to the next level. Like a port scanner, a vulnerability scanner identifies hosts and open ports, but it also provides information on the associated vulnerabilities (as opposed to relying on human interpretation of the results). Most vulnerability scanners also attempt to provide information on mitigating discovered vulnerabilities.
Vulnerability scanners provide system and network administrators with proactive
...
...