Scribd
Upload
277 views

Cissp Domain 6

The document discusses the key topics covered in Domain 6 of the CISSP exam: Security Assessment and Testing. Domain 6 involves designing and validating assessment strategies, conducting security control testing through methods like vulnerability assessments and penetration tests, analyzing results and generating reports, and facilitating internal and external audits to evaluate security program effectiveness. Proper security assessment and testing is important for all organizations to validate that controls are working as intended over time.

Uploaded by

Yogendra Singh Negi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
277 views

Cissp Domain 6

The document discusses the key topics covered in Domain 6 of the CISSP exam: Security Assessment and Testing. Domain 6 involves designing and validating assessment strategies, conducting security control testing through methods like vulnerability assessments and penetration tests, analyzing results and generating reports, and facilitating internal and external audits to evaluate security program effectiveness. Proper security assessment and testing is important for all organizations to validate that controls are working as intended over time.

Uploaded by

Yogendra Singh Negi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

INTRODUCTION: CISSP EXAM DOMAINS

1. Security and Risk Management 15%


2. Asset Security 10%
3. Security Architecture and Engineering 13%
4. Communication and Network Security 14%
5. Identity and Access Management 13%

6. Security Assessment and Testing 12% (this


7. Security Operations 13%
8. Software Development Security 10%
DOMAIN 6
SECURITY ASSESSMENT
AND TESTING

CISSP EXAM CRAM


1-HOUR SHORT COURSE
DOMAIN 6: SECURITY ASSESSMENT & TESTING

6.1 Design and validate assessment, test, and audit


strategies
6.2 Conduct security control testing
6.3 Collect security process data (e.g., technical and
administrative)
6.4 Analyze test output and generate report
6.5 Conduct or facilitate security audits

some situations require an expert!


Security assessment and testing
Security assessment and testing programs
provides a mechanism for validating the ongoing effectiveness
of security controls, with a variety of tools to validate controls:
- vulnerability assessments
- penetration tests, software testing
- audits
- security management tasks

Every organization should have a security assessment and


testing program defined and operational.
Assessment & testing

Vulnerability assessments
use automated tools to search for known vulnerabilities in
systems, applications, and networks.
flaws may include missing patches, misconfigurations, or faulty
code that expose the organization to security risks.
Penetration tests
uses these same tools but supplements them with attack techniques
where an assessor attempts to exploit vulnerabilities and gain access to
the system.
Assessment & testing

A few strategies that may be employed

- War Dialing – Bank of Modems legacy


- Sniffing – Monitor the Network
- Eavesdropping – Listening
- Dumpster Diving – Just like it sounds
- Social Engineering – Human Manipulation

Tests that involve human interaction and analysis will


increase cost but are more thorough.
security process data

Employment Polices and Practices write


Termination process and background checks

Roles and Responsibilities communicate


Management sets the standard and verbalizes the policy

Security Awareness Training train


Prevents Social Engineering, helps with phishing
software testing
Perform software testing to validate code moving into production

Software testing
techniques verify that code functions as designed and does not contain
security flaws.
Code review
uses a peer review process to formally or informally validate code before
deploying it in production.
Interface testing
assesses the interactions between components and users with API testing,
user interface testing, and physical interface testing.
static vs dynamic testing

Static software testing


techniques include code reviews, evaluate the security of software without running
it by analyzing either the source code or the compiled application.

Dynamic software testing


evaluates the security of software in a runtime environment and is often the only
option for organizations deploying applications written by someone else.

“written by someone else” is not a requirement


fuzzing

Uses modified inputs to test software performance


under unexpected circumstances
Modifies known inputs to generate synthetic inputs
that may trigger unexpected behavior

testing technique Generational fuzzing develops inputs based on models


of expected inputs to perform same task
security management oversight
Security managers must perform a variety of activities to retain
proper oversight of the information security program.

Log reviews
particularly for administrator activities, ensure that systems are not misused.

Account management reviews


ensure that only authorized users retain access to information systems.

Backup verification the most important!


ensures that the organization’s data protection process is functioning properly.

Key performance and risk indicators


provide a high-level view of security program effectiveness.
internal and external audits
Conduct or facilitate internal and third-party audits

Security audits
occur when a third party performs an assessment of the security controls
protecting an organization’s information assets.
Internal audits
are performed by an organization’s internal staff and are intended for
management use.
External audits are performed by a third-party audit firm and are
generally intended for the organization’s governing body.

Assume audit is 3rd party unless question says otherwise


INSIDE AZURE
MANAGEMENT

THANKS
FOR WATCHING!

You might also like