2 cissp ® Official Study Guide Eighth Edition

360
Chapter 9 
■
Security Vulnerabilities, Threats, and Countermeasures
PLC units are effectively single-purpose or focused-purpose digital computers. They are 
typically deployed for the management and automation of various industrial electrome-
chanical operations, such as controlling systems on an assembly line or a large-scale digital 
light display (such as a giant display system in a stadium or on a Las Vegas Strip marquee).
A SCADA system can operate as a stand-alone device, be networked together with 
other SCADA systems, or be networked with traditional information technology (IT) 
systems. Most SCADA systems are designed with minimal human interfaces. Often, they 
use mechanical buttons and knobs or simple LCD screen interfaces (similar to what you 
might have on a business printer or a GPS navigation device). However, networked SCADA 
devices may have more complex remote-control software interfaces.
In theory, the static design of SCADA, PLC, and DCS units and their minimal human 
interfaces should make the system fairly resistant to compromise or modification. Thus, 
little security was built into these industrial control devices, especially in the past. But there 
have been several well-known compromises of industrial control systems in recent years; for 
example, Stuxnet delivered the first-ever rootkit to a SCADA system located in a nuclear 
facility. Many SCADA vendors have started implementing security improvements into their 
solutions in order to prevent or at least reduce future compromises. However, in practice, 
SCADA and ICS systems are still often poorly secured, vulnerable, and infrequently 
updated, and older versions not designed for security are still in widespread use.
Assess and Mitigate Vulnerabilities 
in Web-Based Systems
There is a wide variety of application and system vulnerabilities and threats in web-based 
systems, and the range is constantly expanding. Vulnerabilities include concerns related to 
Extensible Markup Language (XML) and Security Association Markup Language (SAML) 
plus many other concerns discussed by the open community-focused web project known as 
the 
Open Web Application Security Project (OWASP)
.
OWASP is a nonprofit security project focusing on improving security for online or 
web-based applications. OWASP is not just an organization—it is also a large community 
that works together to freely share information, methodology, tools, and techniques related 
to better coding practices and more secure deployment architectures. For more informa-
tion on OWASP and to participate in the community, visit 
www.owasp.org
. The OWASP 
group maintains a guide of recommendations for assessing the security of a web service at 
https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
. 
OWASP also maintains a top ten list of the most critical web application attacks at 
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
. Both of 
these documents would be a reasonable starting point for planning a security evaluation or 
penetration test of an organization’s web services.
Any security evaluation should start off with reconnaissance or information gathering. 
This step is to collect as much information as possible about the target for later steps to use. 
This usually includes viewing each of the hosted web pages, discovering the automation 

Assess and Mitigate Vulnerabilities in Web-Based Systems 
361
technologies in use, looking for information that should not have been posted, and check-
ing for configuration and security leaks. This is followed by an assessment of the site’s 
configuration management (such as file handling, extensions in use, backups, looking for 
sensitive data in client-side code), and evaluating the site’s transmission security (such as 
checking for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) version support, 
assessing cipher suites, cookie/session ID/token management, and susceptibility to forged 
requests).
Next in a web security assessment is to evaluate authentication and session management. 
This is followed by evaluating the cryptography of the site and the methods used for data 
validation and sanitization. A web security assessment should also involve checking for 
DoS defenses, evaluating risk responses, and testing error handling.
This is only a brief overview of the concept of web security assessment, as the CISSP 
exam does not expect you to be a professional penetration tester, but you should be gener-
ally aware of the concept of security evaluation. You are welcome to explore more details 
about web security assessment from the OWASP guide if you find this topic interesting.
A few of the OWASP top ten Web risks that you may want to know about are injection, 
XML exploitation, cross-site scripting (XSS), and XSRF.
An 

Download 19,3 Mb.

Do'stlaringiz bilan baham: