Skip to main content

New Page

Introduction

Security assessment and testing programs provide a mechanism for validating the ongoing effectiveness of security controls. It's crucial for organizations to have a security assessment and testing program defined and operational.

Remember: We are not expected to know everything. It's reasonable to consult with an expert when needed.

Exam Outline

  1. Design and Validate assessment, test, and audit strategies
  2. Conduct security control testing
  3. Collect security process data (technical and administrative)
  4. Analyze test output and generate report
  5. Conduct or facilitate security audits

Though it's a short domain by numbers, there's a high expectation of what we must know and perform.

Assessment and Testing

Vulnerability Assessment vs. Penetration Tests

  • Vulnerability Assessments:
    • Use automated tools.
    • Search for known vulnerabilities in applications and networks.

Vulnerability flaws can be due to missing patches, incorrect configurations, or faulty code.

  • Penetration Tests:
    • Use tools and attack techniques.
    • Attempt to exploit vulnerabilities and access systems.

For penetration tests, it's common to quote both vulnerability assessments and penetration tests to clients.

Penetration Test Strategies

  • War Dialing
  • Sniffing
  • Eavesdropping
  • Dumpster Diving
  • Social Engineering

Human-involved tests might be costly but are more thorough.

 Remember: every organization should have a security assessment and testing program defined.

Security Process Data

  • Employment Policies and Practices
    • Define/write and communicate termination processes.
    • Implement regular background checks.
  • Roles and Responsibilities
    • Management sets and communicates the policies.
  • Security Awareness Training (SAT)
    • Trains employees against social engineering and phishing attacks.
  • Software Testing
    • Conduct tests before deploying to production.
    • Tests verify code functionality and absence of security flaws.
    • Use peer review processes to validate code.
    • Assess interactions via API testing, UI testing, and physical interface testing.

Code review can be formal or informal, but it's essential before deployment.

Types of Software Testing

6.1 Static vs. Dynamic Testing

  • Static: Evaluates software without running it. Analyzes the source code or compiled application.
  • Dynamic: Evaluates software in a runtime environment.

[Success Callout] It's beneficial to run software in a runtime environment to ensure its functionality, scalability, and security.

6.2 Fuzzing

  • Modifies inputs to test software response.
  • Can detect vulnerabilities like SQL injections.
  • Generational fuzzing uses expected inputs for the same task.

7. Security Management Oversight

  • Conduct log reviews, especially for admin activities.
  • Review account management practices.
  • Ensure backups function correctly.

[Danger Callout] Backup verification is the most critical element.

8. Key Performance & Risk Indicators

Provide insights into the security program's effectiveness. Controls may not remain effective indefinitely.

9. Internal and External Audits

9.1 Security Audits

  • Performed by third parties.
  • Assess the security controls of an organization's assets.

9.2 Internal Audits

  • Conducted by internal staff.
  • Intended for management use.

[Information Callout] For the exam, assume "audit" refers to a 3rd-party audit unless stated otherwise.

Back to top