Technical Guide to Information Security Testing and Assessment

Technical Guide to Information Security Testing and Assessment

Special Publication 800-115 Technical Guide to Information Security Testing and Assessment Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2008 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Deputy Director TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology (IT). ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-115 Natl. Inst. Stand. Technol. Spec. Publ. 800-115, 80 pages (Sep. 2008) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. ii TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Acknowledgements The authors, Karen Scarfone and Murugiah Souppaya of the National Institute of Standards and Technology (NIST) and Amanda Cody and Angela Orebaugh of Booz Allen Hamilton, wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. The authors would like to acknowledge John Connor, Tim Grance, Blair Heiserman, Arnold Johnson, Richard Kissel, Ron Ross, Matt Scholl, and Pat Toth of NIST and Steve Allison, Derrick Dicoi, Daniel Owens, Victoria Thompson, Selena Tonti, Theodore Winograd, and Gregg Zepp of Booz Allen Hamilton for their keen and insightful assistance throughout the development of the document. The authors appreciate all the feedback provided during the public comment period, especially by Marshall Abrams, Karen Quigg, and others from MITRE Corporation; William Mills of SphereCom Enterprises; and representatives from the Financial Management Service (Department of the Treasury) and the Department of Health and Human Services (HHS). Trademark Information All names are registered trademarks or trademarks of their respective companies. iii TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Table of Contents Executive Summary..............................................................................................................ES-1 1. Introduction ......................................................................................................................1-1 1.1 Authority...................................................................................................................1-1 1.2 Purpose and Scope .................................................................................................1-1 1.3 Audience ..................................................................................................................1-1 1.4 Document Structure .................................................................................................1-2 2. Security Testing and Examination Overview ................................................................2-1 2.1 Information Security Assessment Methodology.......................................................2-1 2.2 Technical Assessment Techniques .........................................................................2-2 2.3 Comparing Tests and Examinations ........................................................................2-3 2.4 Testing Viewpoints...................................................................................................2-4 2.4.1 External and Internal ....................................................................................2-4 2.4.2 Overt and Covert ..........................................................................................2-5 3. Review Techniques..........................................................................................................3-1 3.1 Documentation Review ............................................................................................3-1 3.2 Log Review ..............................................................................................................3-1 3.3 Ruleset Review ........................................................................................................3-2 3.4 System Configuration Review..................................................................................3-3 3.5 Network Sniffing.......................................................................................................3-4 3.6 File Integrity Checking .............................................................................................3-4 3.7 Summary..................................................................................................................3-5 4. Target Identification and Analysis Techniques.............................................................4-1 4.1 Network Discovery ...................................................................................................4-1 4.2 Network Port and Service Identification ...................................................................4-3 4.3 Vulnerability Scanning .............................................................................................4-4 4.4 Wireless Scanning ...................................................................................................4-6 4.4.1 Passive Wireless Scanning ..........................................................................4-8 4.4.2 Active Wireless Scanning .............................................................................4-9 4.4.3 Wireless Device Location Tracking ..............................................................4-9 4.4.4 Bluetooth Scanning ....................................................................................4-10 4.5 Summary................................................................................................................4-10 5. Target Vulnerability Validation Techniques ..................................................................5-1 5.1 Password Cracking ..................................................................................................5-1 5.2 Penetration Testing..................................................................................................5-2 5.2.1 Penetration Testing Phases .........................................................................5-2 5.2.2 Penetration Testing Logistics .......................................................................5-5 5.3 Social Engineering ...................................................................................................5-6 5.4 Summary..................................................................................................................5-7 6. Security Assessment Planning.......................................................................................6-1 6.1 Developing a Security Assessment Policy...............................................................6-1 6.2 Prioritizing and Scheduling Assessments ................................................................6-1 6.3 Selecting and Customizing Techniques...................................................................6-3 iv TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT 6.4 Assessment Logistics ..............................................................................................6-4 6.4.1 Assessor Selection and Skills.......................................................................6-5 6.4.2 Location Selection ........................................................................................6-6 6.4.3 Technical Tools and Resources Selection ...................................................6-8 6.5 Assessment Plan Development .............................................................................6-10 6.6 Legal Considerations .............................................................................................6-12 6.7 Summary................................................................................................................6-12 7. Security Assessment Execution.....................................................................................7-1

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    80 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us