-
An audit is a systematic assessment of the security controls of an information system.
-
Setting a clear set of goals is probably the most important step of planning a security audit.
-
Internal audits benefit from the auditors’ familiarity with the systems, but may be hindered by a lack of exposure to how others attack and defend systems.
-
External audits happen when organizations have a contract in place that includes security provisions. The contracting party can demand to audit the contractor to ensure those provisions are being met.
-
Third-party audits typically bring a much broader background of experience that can provide fresh insights, but can be expensive.
-
Test coverage is a measure of how much of a system is examined by a specific test (or group of tests).
-
A vulnerability test is an examination of a system for the purpose of identifying, defining, and ranking its vulnerabilities.
-
Black box testing treats the system being tested as completely opaque.
-
White box testing affords the auditor complete knowledge of the inner workings of the system even before the first scan is performed.
-
Gray box testing gives the auditor some, but not all, information about the internal workings of the system.
-
Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner.
-
A blind test is one in which the assessors only have publicly available data to work with and the network security staff is aware that the testing will occur.
-
A double-blind test (stealth assessment) is a blind test in which the network security staff is not notified that testing will occur.
-
War dialing allows attackers and administrators to dial large blocks of phone numbers in search of available modems.
-
A log review is the examination of system log files to detect security events or to verify the effectiveness of security controls.
-
Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services.
-
A misuse case is a use case that includes threat actors and the tasks they want to perform on the system.
-
A code review is a systematic examination of the instructions that comprise a piece of software, performed by someone other than the author of that code.
-
Interface testing is the systematic evaluation of a given set of exchange points for data between systems and/or users.
-
Administrative controls are implemented primarily through policies or procedures.
-
Privileged user accounts pose significant risk to the organization and should be carefully managed and controlled.
剩余内容请关注本人公众号debugeeker, 链接为CISSP考试指南笔记:6.6 快速提示