Domain 6 - Security Assessment and Testing Flashcards
Sec assessment and testing programs
mechanism for validating ongoing effectiveness of sec controls, with a variety of tools to validate controls ie vuln assessments, pentests, software testing, audits, sec management tasks, every org should have a sec assessment and testing program defined and operational
Vulnerability assessments
- use automated tools to search for known vulnerabilities in systems/ apps/ networks, flaws may include missing patches, misconfigurations, or faulty code, will often call out the CVE
Penetration tests
- assessor attempts to exploit vulnerabilities and gain access to the system, done by external companies
Pentest strategies
- war dialing (bank of modems, legacy), sniffing (monitor the network), eavesdropping (listening), dumpster diving, social engineering (human manipulation), tests that involve human interaction and analysis will increase cost but are more thorough
Security process data
- employment policies and practices (term process and background checks), roles and responsibilities (management sets standard and verbalizes policy), security awareness training (prevents social engineering, helps with phishing), WRITE COMMUNICATE TRAIN
Software testing
- validate code before moving to production, verifies it functions as designed and doesn’t contain security flaws, test APIs, UIs, and Physical interfaces
Code review
- peer review process to validate code before deploying to production
Interface testing
- assesses interactions between components and users with API testing, user interface testing, and physical interface testing, how an interface interacts with a database or an API, can be automated, sometimes user experience testing
Static software testing
- evaluate security of software without running it. Code review. Analyzing source code or the compiled application
Dynamic software testing
- evaluate sec of software in a runtime environment, often the option for orgs deploying apps written by someone else
Fuzzing
- uses modified inputs to test software under unexpected circumstances, ie changing input around to see how the application responds, can flush out things like SQL injection vulns, modifies known inputs to generate synthetic inputs that may trigger unexpected behavior, generational fuzzing develops inputs BASED ON models of expected inputs to perform the same task
Log reviews
- particularly for admin/ privileged activities, ensures that systems are not misused
Account management reviews
- ensure that only authorized users retain access to information systems, typically uses a RANDOM SAMPLING of accounts
Backup verification
- ensures that the organizations data protection process is functioning properly, VERY IMPORTANT
Key performance and risk indicators
- high level review of sec program EFFECTIVENESS, evolving sec controls over time
Security audit
- 3rd party performs an assessment of the sec controls protecting an orgs information Assets
Internal audits
- performed by an organization’s internal staff and are intended for management use, make sure we are ready for 3rd party audits, make sure controls are effective
Chief Audit Executive (CAE)
report to most senior possible leader to avoid conflicts of interest
SSAE 18
Type 1=auditors opinion on description of controls provided by management and the design of the controls
Type 2=go further than type 1 by providing auditors opinion on the operating effectiveness of the controls over an extended period of time
ONLY 2 TYPES
branch coverage
evaluates whether every if statement has been executed under all if and else conditions
condition coverage
tests whether every logical test in the code has been executed under all sets of input
function coverage
verifies that every function in the code has been called and returned results
loop coverage
verifies that every loop in the code has been executed under conditions that cause code execution multiple times, only once, and not at all
