Nettailor - Tailored Networks
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Welcome / Willkommen
  2. /
  3. CyberSecurity
  4. /
  5. CISSP Study Guide
  6. /
  7. Domain 6

Domain 6

Domain 6 - Security Assessment and Testing

Security Assessment

  • full picture approach of how effective out access controls are
  • open multiple areas
    • politics
    • real-world assessment
    • change management
    • architectural reviews
    • penetration testing
    • vulnerability assessments
    • security audits

Security Audits

SOC2
  • Type1
    • reports suitability
  • Type 2
    • reports rentability and effectiveness
Internal and 3rd Party Audits

  • Structural audits (3rd Party)

  • unstructured audits (internal, is run before external audit)

  • Security Audit Logs

    • Review audit logs (detective control)
    • NIST.SP.800-92 suggest the following log sources
      • Network Security Software / Hardware
      • Operating System

  • Centralized Logging

  • Vulnerability Scanners

    • Software with list of many vulnerabilities
Pen-Testing
  • test if vulnerabilities are exploitable
  • authorized simulated attack
  • very important to have very clear rules of engagement
  • senior management set goals
  • Planning -> Information Gathering and Discovery -> Vulnerability Scanning -> Exploitation -> Reporting
  • Black Box
  • White Box
  • Gray Box
  • Tools
    • War Dialing
    • War Driving
    • Wireless test
      • evaluate the risk related to potential access to your wireless network
    • Client-Side Network Attacks
    • Server-Side Network Attacks

Social Engineering

  • can be used in combination with many other attacks
  • Authority
  • Intimidation
  • Consensus
  • Scarcity
  • Urgency
  • Familiarly

Software Testing

Code Reviews
  1. Planning
  2. Overview
  3. Preparation
  4. Inspection
  5. Rework
  6. Follow-UP
Static Testing
  • not run / passive test
  • walkthrough, syntax checking
  • code reviews
Dynamic Testing

  • run / active executing

  • White Box

  • Black Box

TM / RTM

  • Table, used to map customers requirements to a testing plan

  • A requirement trackability matrix my be used to check if current project requirements are being met

Software testing levels

Unit Testing
  • functionality of specific section of code
  • in object environment usually that the “class”-level
Integration Testing
  • seeks to verify the interfaces between components
component interface testing
  • Testing can be used to check handling of data passed between various units
  • test a complete system
Operational Acceptance
Installation testing
  • assures software installs correctly
Regression testing
  • finding defects after mayor code change

Software testing types

  • Fuzzing
  • All-pair testing
  • designed to test all possible combination
  • uses carefully chosen test vectors
  • Interface Testing
    • API
    • GUI
    • Physical Interfaces
  • Misuse case testing
    • acting like an attacker
  • Test coverage analysis
    • how much of the code did we test?