Domain 6 Flashcards
NIST 800-53A
NIST best practices for conducting security & privacy assessments
Security assessment and testing programs
Every organization should have a security assessment and testing program defined and operational.
provides a mechanism for validating the ongoing effectiveness of security controls, with a variety of tools to validate controls:
- vulnerability assessments
- penetration tests, software testing
- audits
- security management tasks
Vulnerability Assessments
use automated tools to search for known vulnerabilities in systems, applications, and networks.
flaws may include missing patches, misconfigurations, or faulty code that expose the organization to security risks.
Penetration tests
uses these same tools but supplements them with attack techniques where an assessor attempts to exploit vulnerabilities
and gain access to the system.
Penetration test strategies
- War Dialing – Bank of Modems
- Sniffing – Monitor the Network
- Eavesdropping – Listening
- Dumpster Diving – Just like it sounds
- Social Engineering – Human Manipulation
Employment Policies and Practices
Termination process and background checks
write
Roles and Responsibilities
Management sets the standard and verbalizes the policy
communicate
Security Awareness Training
Prevents Social Engineering, helps with phishing
train
Software testing
techniques verify that code functions as designed and does not contain security flaws. (static and dynamic)
Perform software testing to validate code moving into production
Code review
uses a peer review process to formally or informally validate code before deploying it in production.
Interface testing
assesses the interactions between components and users with API testing, user interface testing, and physical interface testing.
Static Software testing
techniques include code reviews, evaluate the security of software without
running it by analyzing either the source code or the compiled application.
Dynamic Software testing
evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. (written by someone else is not a requirement)
Fuzzing (testing technique)
Uses modified inputs to test software
performance under unexpected circumstances
Modifies known inputs to generate synthetic inputs that may trigger unexpected behavior
Generational fuzzing develops inputs based on models of expected inputs to perform same task
Log Reviews
particularly for administrator activities, ensure that systems are not misused.
Account Management Reviews
ensure that only authorized users retain access to information systems.
Backup Verification
ensures that the organization’s data protection process is functioning properly
Key Performance and Risk Indicators
provide a high level view of security program effectiveness.
Security Audits
occur when a third party performs an assessment of the security controls protecting an organization’s information assets.
Internal Audits
are performed by an organization’s internal staff and are intended for
management use.
External audits are performed by a third
party audit firm and are generally intended for the organization’s governing body.
Assume audit is 3rd party unless question says otherwise
Four Components of NIST 800-53A
Specifications - documents associated with the system being audited.
Activities - actions carried out by people
within an information system.
Mechanisms - controls used within an
information system to meet the specifications.
Individuals - people who implement specifications, mechanisms, and activities
