Technical guide to information security testing and ... - NIST

1 Special Publication 800-115 Technical guide to information security testing and Assessment Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh Technical guide to information security testing and Assessment Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh NIST Special Publication 800-115 C O M P U T E R S E C U R I T YComputer security Division information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2008 Department of Commerce Carlos M.

2 Gutierrez, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Deputy Director Technical guide TO information security testing AND ASSESSMENT Reports on Computer Systems Technology The information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the economy and public welfare by providing Technical leadership for the nation s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and Technical analysis to advance the development and productive use of information technology (IT).

3 ITL s responsibilities include the development of Technical , physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.

4 Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. National Institute of Standards and Technology Special Publication 800-115 Natl. Inst. Stand. Technol. Spec. Publ. 800-115, 80 pages (Sep. 2008) iiTECHNICAL guide TO information security testing AND ASSESSMENT Acknowledgements The authors, Karen Scarfone and Murugiah Souppaya of the National Institute of Standards and Technology (NIST) and Amanda Cody and Angela Orebaugh of Booz Allen Hamilton, wish to thank their colleagues who reviewed drafts of this document and contributed to its Technical content.

5 The authors would like to acknowledge John Connor, Tim Grance, Blair Heiserman, Arnold Johnson, Richard Kissel, Ron Ross, Matt Scholl, and Pat Toth of NIST and Steve Allison, Derrick Dicoi, Daniel Owens, Victoria Thompson, Selena Tonti, Theodore Winograd, and Gregg Zepp of Booz Allen Hamilton for their keen and insightful assistance throughout the development of the document. The authors appreciate all the feedback provided during the public comment period, especially by Marshall Abrams, Karen Quigg, and others from MITRE Corporation; William Mills of SphereCom Enterprises; and representatives from the Financial Management Service (Department of the Treasury) and the Department of Health and Human Services (HHS).

6 Trademark information All names are registered trademarks or trademarks of their respective companies. iiiTECHNICAL guide TO information security testing AND ASSESSMENT Table of Contents Executive ES-1 1. Authority ..1-1 Purpose and Document 2. security testing and Examination information security Assessment Methodology ..2-1 Technical Assessment Comparing Tests and testing External and Overt and 3. Review Documentation Log Ruleset System Configuration Network File Integrity 4. Target Identification and Analysis Network Network Port and Service Vulnerability Scanning.

7 4-4 Wireless Passive Wireless Active Wireless Wireless Device Location Bluetooth 5. Target Vulnerability Validation Password Penetration Penetration testing Penetration testing Social 6. security Assessment Developing a security Assessment Prioritizing and Scheduling Selecting and Customizing ivTECHNICAL guide TO information security testing AND ASSESSMENT Assessment Assessor Selection and Location Technical Tools and Resources Assessment Plan Development ..6-10 Legal Considerations ..6-12 7.

8 security Assessment Data Handling ..7-4 Data Data Data Data 8. Post- testing Mitigation Reporting ..8-1 Remediation/Mitigation ..8-2 List of Appendices Appendix A Live CD Distributions for security A-1 Appendix B Rules of Engagement Template .. B-1 Appendix C Application security testing and C-1 Appendix D Remote Access D-1 Appendix E E-1 Appendix F F-1 Appendix G Acronyms and G-1 List of Tables Table 3-1. Review Techniques ..3-5 Table 3-2. Baseline Skill Set for Review Techniques ..3-5 Table 4-1. Target Identification and Analysis Techniques.

9 4-10 Table 4-2. Baseline Skill Set for Target Identification and Analysis Techniques ..4-11 vTECHNICAL guide TO information security testing AND ASSESSMENT Table 5-1. Target Vulnerability Validation Techniques ..5-7 Table 5-2. security testing Knowledge, Skills, and Abilities ..5-7 Table A-1. BackTrack Toolkit A-1 Table A-2. Knoppix STD Toolkit Sample .. A-2 Table E-1. Related NIST E-1 Table E-2. Online Resources ..E-1 List of Figures Figure 5-1. Four-Stage Penetration testing Methodology ..5-3 Figure 5-2. Attack Phase Steps with Loopback to Discovery Phase.

10 5-4 viTECHNICAL guide TO information security testing AND ASSESSMENT Executive Summary An information security assessment is the process of determining how effectively an entity being assessed ( , host, system, network, procedure, person known as the assessment object) meets specific security objectives. Three types of assessment methods can be used to accomplish this testing , examination, and interviewing. testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors. Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.