Cyber Security Test Warriors: Where Might You Take Your Career?

[article]
Summary:

Do you know the latest in test attacks and testing techniques to become a cyber security test warrior? Becoming one is probably not for everyone, but the need is real, continues to grow, and offers a career opportunity for those brave enough to take the challenge.

Millions of credit cards have been hacked as well as embedded pacemakers and automobiles. Additionally, millions of data centers are attacked each year around the world. We hear these stories almost every day; many companies and countries have left their software-systems too vulnerable.

To counter this, government leaders and the military have called for cyber security warriors to respond to these threats and stories. The cyber security staff have training programs and places or contexts where they can practice their skills. They get access to cool tools and are recognized as being “in demand.” As much as we need this type of trained and skilled person, I believe there is also a need for a sub specialty called the cyber security test warrior. This role requires a person who has the same skills as the basic cyber security warrior, however, these cyber security test warriors also need good tester skills.

Why do I think that we need these cyber security test warriors? Well, the bad guys use hacking attacks, they talk hacking attacks, and they have books about them [1]. The bad guys are always practicing their hacking attacks.

There is an approach to testing that is based on the attack concept to find vulnerability information about the software [2,3]. As much we need a good defense with cyber-security warriors defending our systems on a day-to-day basis against the bad guy’s attacks, we need good offensive approaches to create more secure systems in the first place. In my view, cyber security attack-based testing is part of the offensive because it provides security information before the software or product is fielded.

Defenses can include:

  1. Development including requirements specification, software design, construction, and support processes such as configuration management.
  2. Operations including governance, product controls, access limitations, physical security, and cyber security.
  3. Functional and non-functional security testing during development and after deployment in operations.

Cyber Security Test Warrior Attacks
There are many aspects of becoming a skilled cyber security test warrior. As in martial arts where there are many styles but no best, the tester should be skilled in many different attcks. A list of potential test attacks to conduct is listed in table 1.

Named Attack

Apply Against

Example Considerations

Penetration Attack

Account numbers and user ids

Use tools to gain access, like pkcrack

 

Passwords

Check common passwords that may be vulnerable, using password hacking tools or checklists.

 

Usage profiles

The pattern of how the software or device is used to expose vulnerabilities.

 

Location tags for embedded and mobile devices

Where is the device, are tags temporary as the device moves, and what is reported to an open network (cellular, Wi-Fi, etc.)?

Fuzz Testing Sub Attack

External inputs, like user ids passwords

Use fuzzing tool to attack the external interfaces.

Spoofing Attack

“Hijacked” Identity

Use spoofing tools in the “sand-box” test environments.

 

GPS spoofing for mobile/embedded devices

Requires specialized equipment and labs. But for devices dependent on GPS, this may be a “high” risk factor.

 

"Social Engineering" spoof

Attack like the hackers who use many sources of information to gain an advantage.

File checking attack

"Hidden" files with unsecured data

Look for hidden or unsecure non-encrypted files

 

Encryption (or lack thereof)

Is there restricted data perhaps hidden in mobile and embedded file systems which may be “temporary” or not encrypted properly?

 

Good encryption patterns

Where did the algorithm(s) come from and how vulnerable is it?

Breaking Software Security

Use classic IT/PC/web attacks, many of which are applicable to mobile and embedded

See Whittaker’s book [4] for twenty attacks that can be applied to hybrid mobile-web apps.

Virus Attack

Off-the-shelf software

Test for counterfeit logic such as mobile and embedded viruses, malware, etc.

 

Third party software

Many viruses are embedded in fun apps that users download particularly on “bring your own devices”

 

Operating System

Can it be trusted?

 

Bring your own mobile device

Threat from unsecured users

 

Trojan horses

Can the tester use email, hacked apps, or other files to get “inside” of the defenses?

 

Embedded multi-tier system

For example, Stuxnet and its offspring

 

Table 1. Software Security Testing Attacks for the Cyber Security Test Warrior

Table 1 is only a sampling of the knowledge points, and, really, only contains the most basic concepts. A true cyber security test warrior would learn these concepts and develop one’s own variations of them.

Testers looking to become cyber security test warriors need to develop the following skills (not just tool expertise or product knowledge):

  1. The ability to apply the attacks of Table 1 and synthesize their own attacks.
  2. Critical thinking, including the ability to think like the bad guys.
  3. Exploratory attack testing. [4]
  4. Following the “smells” of the software bugs (small hints of a bug or vulnerability) while doing items one, two, and three.

About the author

jon hagar's picture jon hagar

Jon Hagar is a software tester, thinker, and teacher supporting software product integrity, verification, and validation, where he has worked for over thirty-five years. Jon is the IEEE project editor for ISO/IEEE 29119, co-chair for OMG UML testing profile, and works on IEEE1012 V&V plans. Jon consults, publishes, teaches, and mentors regularly as well as having a published book on mobile and embedded software testing, Software Test Attacks to Break Mobile and Embedded Devices, CRC press, 2013. 

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

Sep 24
Oct 12
Nov 09
Nov 09