Security control testing can include testing of the physical facility, logical systems and applications. Here are the common testing methods:
- Vulnerability assessment. The goal of a vulnerability assessment is to identify elements in an environment that are not adequately protected. This does not always have to be from a technical perspective; you can also assess the vulnerability of physical security or the external reliance on power, for instance. These assessments can include personnel testing, physical testing, system and network testing, and other facilities tests.
- Penetration testing. A penetration test is a purposeful attack on systems to attempt to bypass automated
controls. The goal of a penetration test is to uncover weaknesses in security so they can be addressed to mitigate risk. Attack techniques can include spoofing, bypassing authentication, privilege escalation and more. Like vulnerability assessments, penetration testing does not have to be purely logical. For example, you can use social engineering to try to gain physical access to a building or system.62
- Log reviews. IT systems can log anything that occurs on the system, including access attempts and authorizations. The most obvious log entries to review are any series of “deny” events, since someone is attempting to access something that they don’t have permissions for. It’s more difficult to review successful events, since there are generally thousands of them, and almost all of them follow existing policies. However, it can be important to show that someone or something did indeed access a resource that they weren’t supposed to, either by mistake or through privilege escalation. A procedure and software to facilitate frequent review of logs is essential.
- Synthetic transactions. While user monitoring captures actual user actions in real time, synthetic — scripted or otherwise artificial — transactions can be used to test system performance or security.
- Code review and testing. Security controls are not limited to IT systems. The application development lifecycle must also include code review and testing for security controls. These reviews and controls should be built into the process just as unit tests and function tests are; otherwise, the application is at risk of being unsecure.
- Misuse case testing. Software and systems can both be tested for use for something other than its intended
purpose. From a software perspective, this could be to reverse engineer the binaries or to access other processes through the software. From an IT perspective, this could be privilege escalation, sharing passwords and accessing resources that should be denied.
- Test coverage analysis. You should be aware of the following coverage testing types:
- Black box testing. The tester has no prior knowledge of the environment being tested.
- White box testing. The tester has full knowledge prior to testing.
- Dynamic testing. The system that is being tested is monitored during the test.
- Static testing. The system that is being tested is not monitored during the test.
- Manual testing. Testing is performed manually by humans.
- Automated testing. A script performs a set of actions.
- Structural testing. This can include statement, decision, condition, loop and data flow coverage.
- Functional testing. This includes normal and anti-normal tests of the reaction of a system or software. Anti-normal testing goes through unexpected inputs and methods to validate functionality, stability and robustness.
- Negative testing. This test purposely uses the system or software with invalid or harmful data, and verifies that the system responds appropriately.
- Interface testing. This can include the server interfaces, as well as internal and external interfaces. The server interfaces include the hardware, software and networking infrastructure to support the server. For applications, external interfaces can be a web browser or operating system, and internal components can include plug-ins, error handling and more. You should be aware of the different testing types for each system.