CISSP考试指南笔记：6.2 审计技术控制

A technical control is a security control implemented through the use of an IT asset.

Vulnerability Testing

---

Vulnerability testing requires staff and/or consultants with a deep security background and the highest level of trustworthiness.

The goals of the assessment are to

• Evaluate the true security posture of an environment .

• Identify as many vulnerabilities as possible

• Test how systems react to certain circumstances and attacks, to learn not only what the known vulnerabilities are (such as this version of the database, that version of the operating system, or a user ID with no password set), but also how the unique elements of the environment might be abused (SQL injection attacks, buffer overflows, and process design flaws that facilitate social engineering).

• Before the scope of the test is decided and agreed upon, the tester must explain the testing ramifications.

Personnel testing includes reviewing employee tasks and thus identifying vulnerabilities in the standard practices and procedures that employees are instructed to follow, demonstrating social engineering attacks and the value of training users to detect and resist such attacks, and reviewing employee policies and procedures to ensure those security risks that cannot be reduced through physical and logical controls are met with the final control .

category: administrative.

• Physical testing includes reviewing facility and perimeter protection mechanisms.

• System and network testing are perhaps what most people think of when discussing information security vulnerability testing.

To the degree automated tools are used, more than one tool—or a different tool on consecutive tests—should be used.

It is best to leverage team/tool heterogeneity in order to improve the odds of covering blind spots.

Black box testing treats the system being tested as completely opaque.

White box testing affords the auditor complete knowledge of the inner workings of the system even before the first scan is performed.

Gray box testing meets somewhere between the other two approaches.

剩余内容请关注本人公众号debugeeker, 链接为CISSP考试指南笔记：6.2 审计技术控制