Domain 6: Security Assessment and Testing
Definitions- War Dialing - technique to automatically scan a list of telephone numbers
- Pentesting Methodology
- Planning
- Reconnaissance
- Scanning (enumeration)
- Vulnerability Assessment
- Exploitation
- Reporting
- Unit Testing - low level, functions, procedures, or objects
- Installation Testing - seeing if it installs and can run
- Integration Testing - multiple components together. say there is unit test for head lights and one for turn signal. integration test would be making sure they both work at same time
- Regression Testing - testing updates, modifications, or patches
- Acceptance Testing - ensuring it meets standards and requirements
- Fuzzing - black-box testing that submits random, malformed data to see if it will crash
- Dynamic Analysis - giving program inputs to test all paths for bugs, weaknesses, vulnerabilities, etc
- Static Analysis - analyzing the source for for bugs, weaknesses, vulnerabilities, style, etc
- Risk = Threat X Vulnerability
Pentesting and active assessments. Once you create something, look for weaknesses or abuse cases
- Internal - usually done by checking logs, scanning internal network with vulnerability scanner, checking camera coverage, etc
- External - analyzing firewall rules, IDS/IPS, endpoint protection, fences, gates, etc
- Third-party - paying another organization to test your security for you
- Vulnerability assessment - describes a ton of weaknesses in the system. Doesn't exploit anything
- Penetration testing - chaining together weaknesses to see what is possible. Puts theirselves in place of attackers to see what they could do
- Log reviews - manually reviewing logs or setting up log analysis tool/filter i.e. splunk
- Synthetic transactions - building scripts to simulate normal activities. this is capture a baseline and simulate traffic
- Code review and testing - manual review, static analysis, and dynamic analysis. all three should be used
- Misuse case testing - writing security tests. could write a security test to ensure the server redirects you, or that all passwords hashes used are strong
- Test coverage analysis - sees how much code you are testing or covering with dynamic analysis
- Interface testing - testing functionality of interface. ensuring user can't see any weird files, error messages, or anything unneccessary.
- Account management - user accounts should be monitored, permissions checked, and passwords automatically changed
- Management review and approval - weaknesses and risk should always be taken to management before acting. determine what the best plan forward and how much risk they want to accept.
- Key performance and risk indicators - a measure of a particularorganizational performance activity, or an important indicatorof a precise health condition of an organization. Enables quick success improvements decomentation.
- Backup verification data - Information used to verify and manage should be backed up
- Training and awareness - everyone should have to take frequent awarness training and their training should be tracked
- Disaster Recovery (DR) and Business Continuity (BC) - there should be plans in place for what to do when bad things happen. Is a Hot site, cold site needed? Should everything be completely redundant?
- Policies and Procedures
- Security Personel Training
- Change Management
- Architectural Reviews
- Vulnerability Reports
- Metrics reports on security
- Metrics reports on IT and remediation
- Pentest Reports
Same thing as the first title in this section, except you are doing this for real now.
- Internal
- External
- Third-party
Sources
https://github.com/icepaule/CISSP-Study-Guide (Thanks to SimonOwens for his great work)