When just one exploited vulnerability can spell disaster for an organization’s brand, security assessments and software testing are a vital pillar of any information security program. A significant part of a CISSP professional’s skill set, understanding how to design, perform, and act on the results of a security test and when they should be applied can be the lynchpin in an organization’s ability to have a secure operating environment. In this CISSP Domain 6 refresh, we will cover the two main types of security assessments – testing software and enterprise security assessments – and review the fundamental concepts and tools that may need some dusting off.
Security assessments and tests provide a holistic view of an organization’s security tools and their effectiveness. These enterprise-level security assessments can be further defined into two sub-categories: access control tests and security assessments. Access control tests encompass a number of processes and methods that assess how strong an organization’s access control systems and rules work and include the following disciplines: vulnerability scanning, penetration testing, and security audits.
Access Control Tests
Penetration tests focus on one or several targets, such as internal network infrastructure, web applications, facilities, and wireless configurations with the goal of obtaining access within an organization’s physical or electronic perimeter. Operating with the authorization of an organization’s management, the penetration testers, or white hat hackers, probe for vulnerabilities using open and closed source tools and a range of virtual and social engineering-based attacks to find them before black hat hackers do. Penetration testers follow a defined methodology of planning, reconnaissance, scanning, assessing vulnerabilities, exploiting, and reporting their results all while maintaining the confidentiality of their work and the integrity of the data and systems they are evaluating.
A vulnerability scan tests a network or system against a set (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Patrick Mallory. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/APa2eItcqpQ/