Transcription
Special Publication 800-115Technical Guide toInformation Security Testingand AssessmentRecommendations of the National Instituteof Standards and TechnologyKaren ScarfoneMurugiah SouppayaAmanda CodyAngela Orebaugh
NIST Special Publication 800-115Technical Guide to Information SecurityTesting and AssessmentRecommendations of the NationalInstitute of Standards and TechnologyKaren ScarfoneMurugiah SouppayaAmanda CodyAngela OrebaughC O M P U T E RS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930September 2008U.S. Department of CommerceCarlos M. Gutierrez, SecretaryNational Institute of Standards and TechnologyDr. Patrick D. Gallagher, Deputy Director
TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENTReports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technology(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’smeasurement and standards infrastructure. ITL develops tests, test methods, reference data, proof ofconcept implementations, and technical analysis to advance the development and productive use ofinformation technology (IT). ITL’s responsibilities include the development of technical, physical,administrative, and management standards and guidelines for the cost-effective security and privacy ofsensitive unclassified information in Federal computer systems. This Special Publication 800-seriesreports on ITL’s research, guidance, and outreach efforts in computer security and its collaborativeactivities with industry, government, and academic organizations.National Institute of Standards and Technology Special Publication 800-115Natl. Inst. Stand. Technol. Spec. Publ. 800-115, 80 pages (Sep. 2008)Certain commercial entities, equipment, or materials may be identified in thisdocument in order to describe an experimental procedure or concept adequately.Such identification is not intended to imply recommendation or endorsement by theNational Institute of Standards and Technology, nor is it intended to imply that theentities, materials, or equipment are necessarily the best available for the purpose.ii
TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENTAcknowledgementsThe authors, Karen Scarfone and Murugiah Souppaya of the National Institute of Standards andTechnology (NIST) and Amanda Cody and Angela Orebaugh of Booz Allen Hamilton, wish to thanktheir colleagues who reviewed drafts of this document and contributed to its technical content. Theauthors would like to acknowledge John Connor, Tim Grance, Blair Heiserman, Arnold Johnson, RichardKissel, Ron Ross, Matt Scholl, and Pat Toth of NIST and Steve Allison, Derrick Dicoi, Daniel Owens,Victoria Thompson, Selena Tonti, Theodore Winograd, and Gregg Zepp of Booz Allen Hamilton for theirkeen and insightful assistance throughout the development of the document. The authors appreciate allthe feedback provided during the public comment period, especially by Marshall Abrams, Karen Quigg,and others from MITRE Corporation; William Mills of SphereCom Enterprises; and representatives fromthe Financial Management Service (Department of the Treasury) and the Department of Health andHuman Services (HHS).Trademark InformationAll names are registered trademarks or trademarks of their respective companies.iii
TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENTTable of ContentsExecutive Summary.ES-11.Introduction .1-11.11.21.31.42.Security Testing and Examination Overview .2-12.12.22.32.43.4.5Network Discovery .4-1Network Port and Service Identification .4-3Vulnerability Scanning .4-4Wireless Scanning .4-64.4.1 Passive Wireless Scanning .4-84.4.2 Active Wireless Scanning .4-94.4.3 Wireless Device Location Tracking .4-94.4.4 Bluetooth Scanning .4-10Summary.4-10Target Vulnerability Validation Techniques .5-15.15.25.35.46.Documentation Review .3-1Log Review .3-1Ruleset Review .3-2System Configuration Review .3-3Network Sniffing.3-4File Integrity Checking .3-4Summary.3-5Target Identification and Analysis Techniques.4-14.14.24.34.45.Information Security Assessment Methodology .2-1Technical Assessment Techniques .2-2Comparing Tests and Examinations .2-3Testing Viewpoints.2-42.4.1 External and Internal .2-42.4.2 Overt and Covert .2-5Review Purpose and Scope .1-1Audience .1-1Document Structure .1-2Password Cracking .5-1Penetration Testing.5-25.2.1 Penetration Testing Phases .5-25.2.2 Penetration Testing Logistics .5-5Social Engineering .5-6Summary.5-7Security Assessment Planning.6-16.16.26.3Developing a Security Assessment Policy .6-1Prioritizing and Scheduling Assessments .6-1Selecting and Customizing Techniques.6-3iv
TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT6.46.56.66.77.Security Assessment Execution.7-17.17.27.37.48.Assessment Logistics .6-46.4.1 Assessor Selection and Skills.6-56.4.2 Location Selection .6-66.4.3 Technical Tools and Resources Selection .6-8Assessment Plan Development .6-10Legal Considerations ysis.7-3Data Handling .7-47.4.1 Data Collection .7-57.4.2 Data Storage .7-57.4.3 Data Transmission.7-67.4.4 Data Destruction.7-7Post-Testing Activities .8-18.18.28.3Mitigation Recommendations.8-1Reporting .8-1Remediation/Mitigation .8-2List of AppendicesAppendix A— Live CD Distributions for Security Testing . A-1Appendix B— Rules of Engagement Template . B-1Appendix C— Application Security Testing and Examination . C-1Appendix D— Remote Access Testing . D-1Appendix E— Resources . E-1Appendix F— Glossary . F-1Appendix G— Acronyms and Abbreviations .G-1List of TablesTable 3-1. Review Techniques .3-5Table 3-2. Baseline Skill Set for Review Techniques .3-5Table 4-1. Target Identification and Analysis Techniques .4-10Table 4-2. Baseline Skill Set for Target Identification and Analysis Techniques .4-11v
TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENTTable 5-1. Target Vulnerability Validation Techniques .5-7Table 5-2. Security Testing Knowledge, Skills, and Abilities .5-7Table A-1. BackTrack Toolkit Sample. A-1Table A-2. Knoppix STD Toolkit Sample . A-2Table E-1. Related NIST Documents. E-1Table E-2. Online Resources. E-1List of FiguresFigure 5-1. Four-Stage Penetration Testing Methodology.5-3Figure 5-2. Attack Phase Steps with Loopback to Discovery Phase .5-4vi
TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENTExecutive SummaryAn information security assessment is the process of determining how effectively an entity being assessed(e.g., host, system, network, procedure, person—known as the assessment object) meets specific securityobjectives. Three types of assessment methods can be used to accomplish this—testing, examination, andinterviewing. Testing is the process of exercising one or more assessment objects under specifiedconditions to compare actual and expected behaviors. Examination is the process of checking, inspecting,reviewing, observing, studying, or analyzing one or more a
TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
