Network Security Testing CS 155 Elie BurszteinWhy testing security• Get a snapshot of the current security• Evaluate the capacity to face intrusion• Test backup planSCOPEOSSTMM!""#$$%&'( %)*#+%,%*-./0123.40-%.0%.56%!76-%"02/36%"632/4.8%#69.4-:%$6.5010;0:8%$<-2<;&'%=2:29.%>((?!"#$%&'(#)%"*#%*#+,*-../00!"# $%&#$$' $ ()*+,# $ (#,*+-./ $ !#0.-'1 $ 2#.")3)4)1/ $ 25'*54$$$ 6%((!227 $ &+)8-3#0 $ 5 $ 9#.")3)4)1/ $ :)+ $ 5$.")+)*1" $ 0#,*+-./ $ .#0.; $ "#+# $ $ +#:#++#3 $ .) $ 50 $ 5' $ %((!22$ 5*3-.< $ $ ='$ %((!22 $ 5*3-. $ -0 $ 5' $ 5,,*+5.#$9#50*+#9#'.$):$0#,*+-./$5.$5'$)&#+5.-)'54$4#8#4$."5.$ -0$,4#5+$):$500*9&.-)'0$5'3$5'#,3).54$#8-3#',#<$=0$5$ 9#.")3)4 )1/$-.$-0$3#0-1'#3$.)$>#$,)'0-0.#' .$5'3$+# .5>4#<$$$=0$5' $)&#'$0)*+,#$9#.")3)4)1/;$-.$544)?0$:)+$:+##$3-00#9-'5.-)'$):$-':)+95 .-)'$5'3$-'.#44#,.*54 $&+)&#+./<$(-',#$- .0$0.5+.$5.$."#$#'3$):$@AAA;$."#$%((!22$B*-,C4/$1+#?$ $.)$#',)9&500$544$0#,*+-./$,"5''#40$?-."$."#$5&&4-#3$#D&#+-#',#$):$.")*05'30$):$+#8-#?#+0< $E/$@AAF;$."#$%((!22 $? 50$')$4)'1#+$$,)'0-3#+#3$G*0.$5'$#."-,54$"5,C-'1$:+59#?)+C<$H.$"53$>#,)9#$5$9#.")3)4)1/$.)$500*+#$0#,*+-./$?50$>#-'1$3 )'#$+-1".$5.$."#$)&#+5.-)'54 $4#8#4<$ $=0$5*3-.0 $>#,59#$ 95-'0.+#59;$."#$'##3$:)+$5$0)4-3$9# .")3)4)1/$>#,59#$,+-.-,54<$$H'$@AAI;$."#$%((!22$,"5'1#3$:+)9$3#:-'-'1$.#0.0$>50#3$)'$0)4*.-)'0$0*,"$ 50$$:-+#?544$ .#0.0$5'3$+)*.#+$.#0.0$.)$$5$0 .5'35+3$:)+$.")0#$? ")$'##3#3$5$+#4-5>4#$0 #,*+- ./$.#0.$+5."#+$."5'$G*0.$5$,)9&4-5',#$+#&)+.$ $:)+$5$0 &#,-:-,$+#1*45.-)'$)+$4 #1-045.-)'<J-." $ K#+0-)' $ L; $ ."# $ %((!22 $ #',)9&500#0 $ .#0.0 $ :+)9 $ 544 $ ,"5''#40 $ M $ N*95' $ ; $ O"/0-,54; $ J-+#4#00;$!#4#,)99*'-,5.-)'0; $ 5'3 $ P5.5 $ Q#.?)+C0< $ =$ 0#. $ ): $ 0#,*+-./ $ 9#.+-,0; $ ,54 4#3 $ R-0C $ =00#009 #'. $ K54*#0$6R=K07; $ &+)8-3# $ 5 $ &)?#+:*4 $ .))4 $ ."5. $ ,5' $ &+)8-3# $ 5 $ 1+5&"-,54 $ +#&+#0#'.5.-)' $ ): $ 0.5.#; $ 5'3 $ 0")?$,"5'1#0$-'$0.5.#$)8#+$.-9#<$!"-0$-'.#1+ 5.#0$?#44$?- ."$5$S350">)5+3S$:)+$95'51#9#'.$5'3$-0$>#'#:-,-54$:)+$>)."$-'.#+'54$5'3$#D.#+'54$.#0.-'1;$544)?-'1$5$,)9&5+-0)'T,)9>-'5.-)'$):$."#$.?)<$ $U*5'.-.5.-8#$R-0C$25'51#9#' .$,5'$>#$3)'#$:+)9$."#$%((!22$=*3-.$+#&)+.$:-'3 -'10;$&+)8-3-'1$5$9*,"$-9&+)8#3$+#0*4.$3*#$.)$$9)+#$5,,*+5.#;$#++)+$:+##$+#0*4.0<$!"#$%((!2 2$-',4*3#0$-':)+95.-)'$:)+$&+)G#,.$&45''-'1;$B*5'.-:/-'1$+#0*4.0;$5'3$."#$+*4#0$):$#'151#9#'.$:)+$&#+:)+9-'1$0#,*+-./$5*3-.0<$$!"#$9#.")3)4)1/$,5'$>#$ #50-4/$-'.#1+5.#3 $?-." $#D-0.-'1$45?0$5'3$&)4-,-#0$.)$500*+#$5$.")+)*1"$0#,*+-./ $5*3-.$."+)*1"$544$,"5''#40<H.$-0$+#,)99#'3#3$."5.$/)*$+#53$."+)*1"$."#$%((!22$)',#$,)9&4#.#4/$>#:)+#$&*..-'1$-.$-'.)$&+5,.-,#<$H.$5-90$.)$>#$5$0.+5-1" .M:)+?5+3$.))4$:)+$."#$-9&4#9#'.5.-)'$5'3$3),*9#'.5.-)'$):$5$0#,*+-./$.#0.<$V*+."#+$500-0.5',#$:)+$.")0#$?")$'##3$"#4&$-'$*'3#+0.5'3-'1$5'3$-9&4#9#'.-'1$."-0$9#.")3)4)1/$-0$585-45>4#$5.$."#$H(WX%2$?#>0-.#<$$1'$2%3,!"#$&+-9 5+/$&*+&)0#$):$."-0$95'*54$-0$.)$&+)8-3#$5$0,-#'.-:-, $ 9#.")3)4)1/ $ :)+ $ ."# $ 5,,*+5.#$,"5+5,.#+-Y5.-)' $ ): $ 0#,*+-./ $ ."+)*1" $ #D59-'5.-)'$5'3$,)++#45.-)'$):$.#0.$+#0*4.0$-'$5$, )'0-0.#'. $5'3$+#4-5>4#$?5/<$ $!"-0$95'*54$-0$535&.5>4#$.)$549)0.$5'/$5*3-.$./&#;$-',4*3-'1$&#'#.+5.-)'$.#0.0;$#."-,54$"5,C-'1; $ 0#,*+-./ $ 500#009#'.0; $ 8* 4'#+5>-4-./$500#009#'.0; $ +#3M.#59-'1; $ >4*#M.#59-'1; $ 5'3 $ 0)$:)+."<$H.$-0$?+-..#'$50$5$0#,*+-./$+#0#5+,"$3),* 9#'.$5'3 $ -0 $ 3#0-1'#3 $ :)+ $ $ :5,.*54 $ 0#,*+-./ $ 8#+-:-,5.-)'$5'3$&+#0#'.5 .-)'$):$9#.+-,0$)'$5$&+):#00-)'54$4#8#4<$!!%@/6<.4A6%@0BB0-9%>'C%=../4D2.40-EF0-@0BB6/34<;EF0G6/4A9% >((HE>((?I%*"+@!$!""#$$%@6/.4J43<.40-% J0/% =214.0/9I%=-<;89.9I%<-1%"632/4.8%K/0J69940-<;9%,%LLL'4963 0B'0/:I%LLL'09 9.BB'0/: %Results • Date /type• Duration• Auditor and analyst associated• Test type• Scope• Test index• Channel test• Test vector• Verified test and metrics calculations of the operational protection levels, loss controls, and security limitations • Knowledge of which tests have been completed, not completed, or only partially completed, and to what extent • Any issues regarding the test and the validity of the results • Test error margins • Any processes which influence the security limitations • Any unknowns or anomalies •SCOPEOSSTMM!""#$$%&'(%)*#+%,%*-./0123 .40-%.0%.56%!76-%"02/36%"632/4.8%#69.4- :%$6.5 010;0:8%$ <-2<;&'%=2:29.%>((?!"#$%&'()*!"#$%&'()*+&,+ +'%&-(#*(.+ +/&.0 +'+,*.+"1+-*(*2'%+$"%&)&*,3+/0*2*+ +.0*+.4$* +"1+)"#$%&'()*+2*56&2*7+7*$*(7,+6$"(+.0*+2*-&"(+'(7+)622*(.%4+26%&(-+-"8*2(#*(.3+&(76,.24+'(7+96,&(*,,+.4$*,3+'(7+,6$$"2.&(-+%*-&,%'.&"(:++!"#$%&'()*++&,+)"#$6%,"24;+0"/*8*23+',+/&.0+'(4+".0*2+.02*'.3+'+2&,<+',,*,,#*(.+#6,.+9*+#'7*+/0*.0*2+"2+(".+."+&(8*,.+&(+'(4+.4$*+"1+)"#$%&'()*:+ +=1.*(3+ +)"#$%&'()*+&,+(".+',+9%')<+'(7+/0&.*+',+&.+'$$*'2, +."+9*:++>0*+=??>@@+2*)"-(&A*,+.02**+.4$*,+"1+)"#$%&'()*BC: D*-&,%'.&"(:+ +!"#$%&'()*+/&.0+%*-&,%'.&"(+&,+&(+'))"27'()*+."+.0*+2*-&"(+/0*2*+.0*+%*-&,%'.&"(+)'( + 9* + *(1"2)*7: + >0* + ,.2*(-.0 + '(7 + )"##&.#*(. + ." + .0* + %*-&,% '.&"( + )"#*, + 12"# + $2*8&"6,%4+,6))*,,16%+%*-'%+'2-6#*(.,+'(7+'$$2"$2&'.*%4+,*.+'(7+E6,.+*(1"2)*#*(.+#*',62*,:+F'&%62*+."+)"#$%4+/&.0+%*-&,%'.&"(+#'4+%*'7+."+)2&#&('%+)0'2-*,:G: H*-6% '.&"(:+ +!"#$%&'()*+."+2*-6%'.&"(+&,+&(+'))"27'()*+."+.0* +&(76,.24+"2+/&.0&( +.0*+-2"6$+/0*2*+.0*+2*-6%'.&"(+)'(+9*+*(1"2)*7:+ +F'&%62*+."+)"#$%4+/&.0+*,.'9%&,0*7+2*-6%'.&"(,+ +"1.*(+%*'7,+."+7&,#&,,'%+12"#+.0*+-2"6$3+'+ %",,+"1+$2&8&%*-*,3+'+#"(*.'24+1&(*3+)&8&%+)0'2-*,3+'(7+&(+,"#*+)',*,+/0*2*+%*-&,%'.&"(+*I&,.,+." +,6$$"2. +.0*+2*-6%'."24+9"743+)2&#&('%+)0'2-*,:J: K"%&)4:+!"#$%&'()*+."+$"%&)4+&,+&(+'))"27'()*+."+.0*+96,&(*,,+"2+"2-'(&A'.&"(+/0*2*+.0*+$"%&)4+)'(+9*+*(1"2)*7:++F'&%62*+."+)"#$%4+/&.0+$"%&)4++"1.*(+%*'7,+."+7&,#&,,'%+12"#+.0*+"2-'(&A'.&"(3+'+%",,+"1+$2&8&%*-*,3+'+#"(*.'24+1&(*3+)&8&%+)0'2-*,3+'(7+&(+,"#*+)',*,+/0*2*+%*-&,%'.&"(+*I&,.,+."+,6$$"2.+.0*+$"%&)4+#'<*2,3+)2&#&('%+)0'2-*,:>0*+=??>@@+&,+7*8*%"$*7+/&.0+)"()*2(+1"2+#'E"2+%*-&,%'.&"(+'(7+2*-6%'.&"(,:++L,+(".+'%%+)"#$%&'()*+&,+)2*'.*7+*56'%%43+.0*+#'&(+1")6,+"1+.0*+=??>@@+&,+,*)62&.4:++D*-&,% '.&"(+'(7+2*-6%'.&"(+.0'.+7*.'&%+.0*+$62)0',&(-+"1+,$*)&1&)+$2"76).,+"2+,*28&)*,3+"1.*(+.02"6-0+,$*)&'%%4+%"99&*7+*11"2.,3+#'4+0'8*+-""7+&(.*(.&"(,;+0"/*8*23+.0*+=??>@@+)'((".+7&2*).%4+#**.+.0*,*+$'2.&)6%'2+2*56&2*#*( .,:+
View Full Document