- An audit is a systematic assessment of the security controls of an information system.
- Setting a clear set of goals is probably the most important step of planning a security audit.
- Internal audits benefit from the auditors’ familiarity with the systems, but may be hindered by a lack of exposure to how others attack and defend systems.
- External audits happen when organizations have a contract in place that includes security provisions. The contracting party can demand to audit the contractor to ensure those provisions are being met.
- Third-party audits typically bring a much broader background of experience that can provide fresh insights, but can be expensive.
- Test coverage is a measure of how much of a system is examined by a specific test (or group of tests).
- A vulnerability test is an examination of a system for the purpose of identifying, defining, and ranking its vulnerabilities.
- Black box testing treats the system being tested as completely opaque.
- White box testing affords the auditor complete knowledge of the inner workings of the system even before the first scan is performed.
- Gray box testing gives the auditor some, but not all, information about the internal workings of the system.
- Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner.
- A blind test is one in which the assessors only have publicly available data to work with and the network security staff is aware that the testing will occur.
- A double-blind test (stealth assessment) is a blind test in which the network security staff is not notified that testing will occur.
- War dialing allows attackers and administrators to dial large blocks of phone numbers in search of available modems.
- A log review is the examination of system log files to detect security events or to verify the effectiveness of security controls.
- Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services.
- A misuse case is a use case that includes threat actors and the tasks they want to perform on the system.
- A code review is a systematic examination of the instructions that comprise a piece of software, performed by someone other than the author of that code.
- Interface testing is the systematic evaluation of a given set of exchange points for data between systems and/or users.
- Administrative controls are implemented primarily through policies or procedures.
- Privileged user accounts pose significant risk to the organization and should be carefully managed and controlled.
CISSP考试指南笔记:6.6 快速提示
2021-03-23 11:09:07
浏览数 (3)