5.5 Flashcards
Audits
Systematic evaluations of an organization’s information systems, applications,and security controls
Purpose of audits
● Validate security measures
● Identify vulnerabilities
● Maintain compliance with regulatory standard
identify gaos in security policies, procedures or controls and ensure compliance with
assessments
■ Detailed analysis to identify vulnerabilities and risks
■ Performed before implementing new systems or significant changes
■ Categories
● Risk Assessments
● Vulnerability Assessments
● Threat Assessments
Reconnaissance in Pentesting
Gathering information before a pentest
■ Types
● Passive
● Active
■ Environment Consideration
● Known
● Partially Known
● Unknown
Passive reconnaissance
Passive reconnaissance involves collecting information without directly interacting with the target system or network.
Active reconnaissance
Active reconnaissance involves engaging directly with the target system or network to gather information actively, port scanning, vulnerability scanning etc
attestation of findings
■ Formal, written declaration of audit or assessment results
■ Purpose
● Confirmation and documentation of outcomes
internal assessments
■ Conducted to identify and evaluate potential risks and vulnerabilities in an
organization’s information systems
■ Commonly performed before implementing new systems or making significant
changes to existing ones
Internal assessment processes
threat modeling
vulnerability assessment
risk assessment
threat modeling exercise
Identifies potential threats to applications (e.g., SQL injection, XSS,
DoS attacks)
MCIT Cybersecurity Self-Assessment
MCIT’s Cybersecurity Self-Assessment checklist is designed to help
organizations minimize data and cybersecurity-related exposures
● It assists in identifying areas where data security may need strengthening
● The checklist comprises yes-or-no questions with sections for comments
and action items
● Action items are assigned to specific individuals or groups responsible for
implementing corrective actions
examinations
Detailed inspections of an organization’s security infrastructure conducted
externally
Types of pen testing
physical
offensive (red teaming), actively seeks vulnerabilities and attempts to exploit them
defensive - blue teaming detecting and responding to attacks
integrated (purple teaming) combines blue and red
metasploit
■ Multipurpose computer security and penetration testing framework
■ Has a wide array of powerful tools for conducting penetration tests
Types of attestations
software - ● Involves validating the integrity of software to ensure it hasn’t been
tampered with
■ Hardware Attestation
● Validates the integrity of hardware components to confirm they haven’t
been tampered with
■ System Attestation
● Validates the security posture of a system, often related to compliance
with security standards
