Do you know the latest in test attacks and testing techniques to become a cyber security test warrior? Becoming one is probably not for everyone, but the need is real, continues to grow, and offers a career opportunity for those brave enough to take the challenge.
Millions of credit cards have been hacked as well as embedded pacemakers and automobiles. Additionally, millions of data centers are attacked each year around the world. We hear these stories almost every day; many companies and countries have left their software-systems too vulnerable.
To counter this, government leaders and the military have called for cyber security warriors to respond to these threats and stories. The cyber security staff have training programs and places or contexts where they can practice their skills. They get access to cool tools and are recognized as being “in demand.” As much as we need this type of trained and skilled person, I believe there is also a need for a sub specialty called the cyber security test warrior. This role requires a person who has the same skills as the basic cyber security warrior, however, these cyber security test warriors also need good tester skills.
Why do I think that we need these cyber security test warriors? Well, the bad guys use hacking attacks, they talk hacking attacks, and they have books about them [1]. The bad guys are always practicing their hacking attacks.
There is an approach to testing that is based on the attack concept to find vulnerability information about the software [2,3]. As much we need a good defense with cyber-security warriors defending our systems on a day-to-day basis against the bad guy’s attacks, we need good offensive approaches to create more secure systems in the first place. In my view, cyber security attack-based testing is part of the offensive because it provides security information before the software or product is fielded.
Defenses can include:
- Development including requirements specification, software design, construction, and support processes such as configuration management.
- Operations including governance, product controls, access limitations, physical security, and cyber security.
- Functional and non-functional security testing during development and after deployment in operations.
Cyber Security Test Warrior Attacks
There are many aspects of becoming a skilled cyber security test warrior. As in martial arts where there are many styles but no best, the tester should be skilled in many different attcks. A list of potential test attacks to conduct is listed in table 1.
Named Attack | Apply Against | Example Considerations |
Penetration Attack | Account numbers and user ids | Use tools to gain access, like pkcrack |
| Passwords | Check common passwords that may be vulnerable, using password hacking tools or checklists. |
| Usage profiles | The pattern of how the software or device is used to expose vulnerabilities. |
| Location tags for embedded and mobile devices | Where is the device, are tags temporary as the device moves, and what is reported to an open network (cellular, Wi-Fi, etc.)? |
Fuzz Testing Sub Attack | External inputs, like user ids passwords | Use fuzzing tool to attack the external interfaces. |
Spoofing Attack | “Hijacked” Identity | Use spoofing tools in the “sand-box” test environments. |
| GPS spoofing for mobile/embedded devices | Requires specialized equipment and labs. But for devices dependent on GPS, this may be a “high” risk factor. |
| "Social Engineering" spoof | Attack like the hackers who use many sources of information to gain an advantage. |
File checking attack | "Hidden" files with unsecured data | Look for hidden or unsecure non-encrypted files. |
| Encryption (or lack thereof) | Is there restricted data perhaps hidden in mobile and embedded file systems which may be “temporary” or not encrypted properly? |
| Good encryption patterns | Where did the algorithm(s) come from and how vulnerable is it? |
Breaking Software Security | Use classic IT/PC/web attacks, many of which are applicable to mobile and embedded | See Whittaker’s book [4] for twenty attacks that can be applied to hybrid mobile-web apps. |
Virus Attack | Off-the-shelf software | Test for counterfeit logic such as mobile and embedded viruses, malware, etc. |
| Third party software | Many viruses are embedded in fun apps that users download particularly on “bring your own devices” |
| Operating System | Can it be trusted? |
| Bring your own mobile device | Threat from unsecured users |
| Trojan horses | Can the tester use email, hacked apps, or other files to get “inside” of the defenses? |
| Embedded multi-tier system | For example, Stuxnet and its offspring |
Table 1. Software Security Testing Attacks for the Cyber Security Test Warrior
Table 1 is only a sampling of the knowledge points, and, really, only contains the most basic concepts. A true cyber security test warrior would learn these concepts and develop one’s own variations of them.
Testers looking to become cyber security test warriors need to develop the following skills (not just tool expertise or product knowledge):
- The ability to apply the attacks of Table 1 and synthesize their own attacks.
- Critical thinking, including the ability to think like the bad guys.
- Exploratory attack testing. [4]
- Following the “smells” of the software bugs (small hints of a bug or vulnerability) while doing items one, two, and three.
Where the Cyber Security Test Warrior Practices Attacks
To practice cyber warfare, testers and the development team, in general, need a test sandbox environment (see chapter ten of my book Software Test Attacks to Break Mobile and Embedded Devices) where they can gain skills without threatening the real-world systems. In fact, many of the things a warrior might do could be considered illegal in the real world unless sanctioned by proper authorities. Such security test sandbox environments can include the systems or software at risk, simulations of the environment the system will execute in, tools to support the development and testing, and training simulations.
The warrior team will not receive the necessary skills without practice. Soldiers and martial artists practice, practice, practice to develop mental and physical “memory” for their attacks. You can not just read a book or article and become a practiced warrior. Starting off, the cyber warrior tester needs to apply the knowledge gained from books and teachers in a safe sandbox environment. Once the practiced skills reach a reasonable degree of skill, actual “combat” can then be undertaken.
In Conclusion
Practicing attacks in an educational sandbox environment, followed by combat testing against real software can be the best skill builder for cyber security test warriors. It takes most warriors years to be proficient and a lifetime of practice. There must be focused mental discipline, constant learning, and a constant refinement of skills.
How many test skills do you have? Do you know numerous test attacks and techniques, and do you have enough to become a cyber security test warrior? Becoming one is probably not for everyone, but the need is real, continues to grow, and so offers a career opportunity for those brave enough to take the challenge. What are you waiting for? Get started with these references to develop your cyber test warrior skills and have some fun along the way.
References
1. J Scambray, S. McClure, G. Kurtz, Hacking Exposed, McGraw Hill
2. J. Whittaker, How to Break Software Security.
3. J Hagar, Software Test Attacks to Break Mobile and Embedded Devices, 2013, CRC Press
4. Kaner, Falk, and Nguyen, Testing Computer Software (Second Edition), Van Nostrand Reinhold, New York, 1993