Security Assessment and Testing: CISSP, #6

While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

SECURITY ASSESSMENT AND TESTING

First edition. April 2, 2020.

Copyright © 2020 Selwyn Classen.

Written by Selwyn Classen.

Table of Contents

Assessment and Testing Strategies

Course Introduction

Ensuring Objectives Have Been Met

Resource Constraints

Security Assessment Foundations

Security Assessment Program

Assessment Viewpoints

Assessment Types

Summary

Security Control Effectiveness Testing

Introduction

Vulnerability Assessment

Detection

Identification

Analysis

Reporting

Mitigation

Intro to Penetration Testing

Penetration Testing

Test Process Walkthrough

Selecting Target Surface

Destructing and Non-destructive Testing

Penetration Testing Frameworks

CISSP Exam Tip

Penetration Testing Process

Scoping the Test

Enumeration

Identification

Security Assessment Techniques

Source Code Review

Summary

Security Process Data Collection

Introduction

Key Performance Risk Indicators

Management Review

Training and Awareness

Account Management

Disaster Recovery and Business Continuity

Backup Data Verification

Summary

Test Result Analysis

Introduction

Vulnerability Assessment

Vulnerability Assessment Dashboards

Targeted Reporting

Data Analysis

Penetration Testing Reports

Reporting Challenges

Penetration Testing Report Anatomy

Summary

Third-party Assessment

Introduction

Third-party Vendors

Evaluating Guidelines

Audit Reports

SSAE16

Audit Stages

Summary

Information Security Continuous Monitoring

Introduction

What Is ISCM?

ISCM Strategy

Defining Your ISCM Program Strategy

Establishing Your ISCM Program Strategy

Implementing Your ISCM Program Strategy

Analyzing Your ISCM Program Strategy

Respond to ISCM Findings

Review Your ISCM Program Strategy

Summary

Assessment and Testing Strategies

Course Introduction

Let us assume that your controls have been selected and implemented, your users have been educated, and everything seems to be in order. Even if this is the case, the odds are that there are still unknown risks in your environment and if you want to be confident that your controls are working as intended, you will need to perform security and risk assessment. If you take a look at the CISSP exam outline, you will find that a CISSP candidate will be expected to understand how to design and validate assessments and test strategies, conduct security control testing, collect security control data, analyze and report test outputs, and conduct or facilitate internal and third-party audits. The requirements that were just listed all stem from the very same need.

Let me give you a quick example of this. Depending on the size of the organization, there is a chance that many employees believe that all necessary security controls are already in place. Unfortunately, this is simply an assumption and one that is often incorrect. As a security professional, you may need to provide your leadership with the assurance that your systems are secure and to do that; you will need to have effective and repeatable security testing and assessment processes in place. In this module and throughout the entire course, you are going to learn what this entails. Security testing will require that you leverage all of the information that you have learned in the other CISSP domains. You may be asked to work with product owners to build out procedures and processes that validate the effectiveness of security controls. When planning for testing and creating your test strategies, you may be required to work with product owners to build out procedures and processes that validate the effectiveness of security controls.

Now that you have a basic understanding of what ISE Squared expects a candidate to know in regards to security assessment and testing. Let us go ahead and get started on the first topic of this course, assessment and testing strategies. This module attempts to cover the broad spectrum of security assessment and testing-related ideas, concepts, and terminology that is the foundation for any advanced security professional. This course module also reinforces your existing security assessment knowledge and will focus on the concepts necessary for adequately designing and validating security assessments. Now, although this course does not contain technological demonstrations, much of the information that will be shared should be immediately useful when you are planning for or even executing your security assessments.

You will learn why developing a strategy for security assessment, and testing is important and what the different assessment types are and what you should know in regards to resources and how they might impact your assessments. You will also learn about the overall security testing and assessment process so that you can be both effective and efficient when developing your strategies. 

Ensuring Objectives Have Been Met

Information security assessment is an activity that is focused on assuring that security objectives have been met. This can be accomplished by testing your environment and validating that everything is working the way that you had originally planned when performing due diligence. This could include the security objectives that are driven by regulatory requirements, or it could be the items that are in your organizational policies. Security testing will ensure that your controls are working properly, and when they do not, it will help you to identify those areas