Domain 6 - Security Assessment and Testing Flashcards
Verifies that a control is function properly
Security Testing
Comprehensive review of the security of a system, application and/or environment.
Security Assessment
Provides objective evidence that the design outputs of a particular phase of the software development life cycle meet all of the specified requirements for that phase.
Verification
Developing a level of confidence that the software or system meets all requirements and user expectations as documented.
Validation
Security and Privacy Controls for federal information systems and organizations
NIST SP 800-53A R4
Determine which type of AUDIT the following represents:
Performed by a team from within the organization, usually meant for internal consumption.
Internal
Determine which type of AUDIT the following represents:
Performed by an outside auditing firm not connected with the organization
External
Determine which type of AUDIT the following represents:
Conducted by and/or on behalf of another organization, such as a regulatory body
Third-Party
Security assessment performed by independent auditors
Security audits
What type of audit is defined:
High level review of documentation and controls. Randomly sampling controls to verify the validity of those controls.
Type 1 Report
DOCUMENTATION WITH RANDOM SAMPLING
What type of audit is defined:
Testing the controls with 6 months worth of data. Auditor supplies opinion of effectiveness upon test
Type 2 Report
MORE TECHNICAL
What reports are generated after an audit?
SOC1 , SOC2 and SOC3
which Report is defined:
Report on controls at a Service Organization which are relevant to user entities internal control over financial reporting. Can be Type 1 or 2
Focused on financial reporting controls
SOC1
Just Finance !!
which Report is defined:
Performed in accordance with AT-C and based upon the Trust Services Criteria, with the ability to test and report on the design and operating effectiveness of a service orgs controls.
Focuses on a business non financial reporting controls as the relate to security, availability, processing integrity, confidentiality, and privacy of a system. Can be Type 1 or 2
SOC2
Finance + Security !!!
which Report is defined:
Can only be done as a Type 1 report.
SOC3
Generic Scrubbed publicly available version of a SOC2 report with no internal data
Identify the Process:
criteria relevant to how an entity identifies the need for changes, makes the changes using a controlled change management process, and prevents unauthorized changes from being made.
Change Management
Another term for WEAKNESS within the organization
Vulnerability
When scanning, which scan is the “noisiest” and would bring the most attention or set off alarms?
XMAS Scan
Uses a single packet sent to each scanned port with the SYN flag set, indicating a request to establish connectivity and begin the TCP three way handshake.
TCP SYN Scan
Opens a full connection to the target on a specified port. Used when sender does not have permission to run a TCP SYN Scan
TCP Connect scan
Sends a packet with the ACK flag set to target. Used to probe firewall rules
TCP ACK Scan
Sends a packet with the FIN, PSH, & URG flags set
XMAS Scan
What are the three port status’es returned by NMAP?
- Open
- Closed
- Filtered
- Planning
- Recon
- Vulnerability Scanning
- Exploitation
- Reporting
Five phases of pen-testing
