Security Assessments Chapter 18 PDF
Document Details
Uploaded by PlentifulMonkey
Universidad Autónoma de Nuevo León
Tags
Summary
This document discusses security assessments, including audits, vulnerability tests, and penetration testing. It covers various security concepts and contains a set of questions related to the subject. The content is about information security.
Full Transcript
Chapter 18: Security Assessments 845 that everything covered in this chapter is grounded in the risk management discussed in Chapter 2. If you do not keep in mind the specific threats and risks wit...
Chapter 18: Security Assessments 845 that everything covered in this chapter is grounded in the risk management discussed in Chapter 2. If you do not keep in mind the specific threats and risks with which your organization is concerned, then it is very difficult to properly address them. Quick Review An audit is a systematic assessment of the security controls of an information system. Setting a clear set of goals is probably the most important step of planning a security audit. A vulnerability test is an examination of a system for the purpose of identifying, defining, and ranking its vulnerabilities. Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner. Red teaming is the practice of emulating a specific threat actor (or type of threat actor) with a particular set of objectives. Black box testing treats the system being tested as completely opaque. White box testing affords the auditor complete knowledge of the inner workings of the system even before the first scan is performed. Gray box testing gives the auditor some, but not all, information about the internal workings of the system. A blind test is one in which the assessors only have publicly available data to work with and the network security staff is aware that the testing will occur. A double-blind test (stealth assessment) is a blind test in which the network security staff is not notified that testing will occur. Breach and attack simulations (BAS) are automated systems that launch simulated attacks against a target environment and then generate reports on their findings. PART VI A log review is the examination of system log files to detect security events or to verify the effectiveness of security controls. Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services. A code review is a systematic examination of the instructions that comprise a piece of software, performed by someone other than the author of that code. A misuse case is a use case that includes threat actors and the tasks they want to perform on the system. Test coverage is a measure of how much of a system is examined by a specific test (or group of tests). CISSP All-in-One Exam Guide 846 Interface testing is the systematic evaluation of a given set of exchange points for data between systems and/or users. Compliance checks are point-in-time verifications that specific security controls are implemented and performing as expected. Internal audits benefit from the auditors’ familiarity with the systems, but may be hindered by a lack of exposure to how others attack and defend systems. External audits happen when organizations have a contract in place that includes security provisions. The contracting party can demand to audit the contractor to ensure those provisions are being met. Third-party audits typically bring a much broader background of experience that can provide fresh insights, but can be expensive. Questions Please remember that these questions are formatted and asked in a certain way for a reason. Keep in mind that the CISSP exam is asking questions at a conceptual level. Questions may not always have the perfect answer, and the candidate is advised against always looking for the perfect answer. Instead, the candidate should look for the best answer in the list. 1. Internal audits are the preferred approach when which of the following is true? A. The organization lacks the organic expertise to conduct them. B. Regulatory requirements dictate the use of a third-party auditor. C. The budget for security testing is limited or nonexistent. D. There is concern over the spillage of proprietary or confidential information. 2. All of the following are steps in the security audit process except A. Document the results. B. Convene a management review. C. Involve the right business unit leaders. D. Determine the scope. 3. Which of the following is an advantage of using third-party auditors? A. They may have knowledge that an organization wouldn’t otherwise be able to leverage. B. Their cost. C. The requirement for NDAs and supervision. D. Their use of automated scanners and reports.