top of page

Domain 6: Security Assessment and Testing

Study Notes

CONCEPT: Always get written senior management approval before performing any kind of system testing.

Techniques to Test The Security of an Organization

  • Penetration testing (White hat, ethical hacking)

  • Automated programs (Nessus, GFI LANGuard, MetaSploit)

  • Test a system on your own

  • Review and audit logs

  • Get ISO 27001 certified

​

Testing the Security of Software

Why Do We Need Vulnerability Testing?

CONCEPT: Always get written senior management approval before performing any kind of system testing.

  • Penetration testing or other types of testing, is the only true way to gauge the security standing of a company

  • Third-party or external testers are effective as they can identify vulnerabilities with an unbiased evaluation

  • Not all companies are alike, each has their own custom applications or techniques for strengthening security, and each requires different or custom tests and assessments

    • One type of test does not work for all organizations​

  • FUN FACT

    • US Navy SEAL Team 6 used to test the security of Naval bases across the country by breaking into them successfully in the 1980s.

    • These tests were done by the founder of SEAL Team 6, Richard Marcinko

    • It is rumored that he did his job too well, almost embarrassing the Navy

​

THE THING ABOUT SECURITY TESTING

Testing should be conducted annually, so at least once every year.  

​

Because what test was done on systems, networks, or applications today, may not have the same result tomorrow.

3 Types of Testing

CONCEPT: Always get written senior management approval before performing any kind of system testing.

  • Administrative Testing - The testing of PEOPLE

    • All-around general auditing and testing

    • Regular drug-testing​

    • Social-engineering experiments

    • Reviewing procedures and standards are up to date

    • Regular security awareness training and quizzes

  • Technical Testing - The testing of NETWORKS and SYSTEMS

    • Penetration testing

    • Network scanning

    • Network attacks using Kali Linux

    • Wardialing

    • Vulnerability Scanning

    • File integrity checks

    • Brute force attacks on passwords

    • Hiring white hat hackers to conducts operations

    • Automated network or application scans

    • Network Discovery 

      • Port scans​

      • Ping sweeps

      • DDOS 

  • Physical Testing - The testing of BUILDINGS and EQUIPMENT

    • Social-engineering experiments

    • Fence/perimeter checks

    • Fire drills and alarm drills

    • Trash and dumpsters located in secure areas to prevent dumpster diving

    • Are paper shredders secured?

    • Emergency fail-open and fail-secure tests

    • Do biometric devices balance Type 1 and Type 2 errors?

Difference Between Penetration and Vulnerability Testing

  • Penetration Testing

    • Technical in nature​

    • Associated with black, white, gray hat hacking

    • Find vulnerabilities AND exploit them

    • Get access to data objects, files, or systems

    • Test the function of the Incident Response Team 

    • Helps to understand business impact

    • Look for any small vulnerabilities that can be escalated to a higher privilege level (privilege escalation)

    • Helps to understand security impact

    • A penetration test can help determine how much money senior management should allocate for the security team

  • Vulnerability Testing (and Assessment)

    • Technical, quantitative, qualitative in nature​

    • Assign a risk score to critical assets

    • Associated with black, white, gray hat hacking

    • Find vulnerabilities AND identify them

      • Do not exploit them​

    • No reason to access data objects, files or systems

How to Avoid Going to a Federal Prison for Hacking

(When you're actually doing a penetration test)

BEFORE CONDUCTING A PENETRATION TEST :

​

  • GET A WRITTEN AGREEMENT BETWEEN YOU AND THE ORGANIZATION
     

  • AGREE UPON AN EXACT TIME AND DATE
     

  • NOTIFY ALL AFFECTED PERSONNEL
     

  • WHO DO I CONTACT FOR MATTERS OF URGENCY?

​

AFTER CONDUCTING A PENETRATION TEST :

​

  • CREATE A WRITTEN REPORT OF FINDINGS
     

  • SECURELY SEND THE REPORT TO SENIOR MANAGEMENT

​

bottom of page