Domain 6 Flashcards
NIST 800-53A
NIST best practices for conducting security & privacy assessments
Security assessment and testing programs
Every organization should have a security assessment and testing program defined and operational.
provides a mechanism for validating the ongoing effectiveness of security controls, with a variety of tools to validate controls:
- vulnerability assessments
- penetration tests, software testing
- audits
- security management tasks
Vulnerability Assessments
use automated tools to search for known vulnerabilities in systems, applications, and networks.
flaws may include missing patches, misconfigurations, or faulty code that expose the organization to security risks.
Penetration tests
uses these same tools but supplements them with attack techniques where an assessor attempts to exploit vulnerabilities
and gain access to the system.
Penetration test strategies
- War Dialing – Bank of Modems
- Sniffing – Monitor the Network
- Eavesdropping – Listening
- Dumpster Diving – Just like it sounds
- Social Engineering – Human Manipulation
Employment Policies and Practices
Termination process and background checks
write
Roles and Responsibilities
Management sets the standard and verbalizes the policy
communicate
Security Awareness Training
Prevents Social Engineering, helps with phishing
train
Software testing
techniques verify that code functions as designed and does not contain security flaws. (static and dynamic)
Perform software testing to validate code moving into production
Code review
uses a peer review process to formally or informally validate code before deploying it in production.
Interface testing
assesses the interactions between components and users with API testing, user interface testing, and physical interface testing.
Static Software testing
techniques include code reviews, evaluate the security of software without
running it by analyzing either the source code or the compiled application.
Dynamic Software testing
evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. (written by someone else is not a requirement)
Fuzzing (testing technique)
Uses modified inputs to test software
performance under unexpected circumstances
Modifies known inputs to generate synthetic inputs that may trigger unexpected behavior
Generational fuzzing develops inputs based on models of expected inputs to perform same task
Log Reviews
particularly for administrator activities, ensure that systems are not misused.
