首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >CISSP考试指南笔记:6.6 快速提示

CISSP考试指南笔记:6.6 快速提示

作者头像
血狼debugeeker
发布2021-03-23 11:09:07
2750
发布2021-03-23 11:09:07
举报
文章被收录于专栏:debugeeker的专栏debugeeker的专栏
  • An audit is a systematic assessment of the security controls of an information system.
  • Setting a clear set of goals is probably the most important step of planning a security audit.
  • Internal audits benefit from the auditors’ familiarity with the systems, but may be hindered by a lack of exposure to how others attack and defend systems.
  • External audits happen when organizations have a contract in place that includes security provisions. The contracting party can demand to audit the contractor to ensure those provisions are being met.
  • Third-party audits typically bring a much broader background of experience that can provide fresh insights, but can be expensive.
  • Test coverage is a measure of how much of a system is examined by a specific test (or group of tests).
  • A vulnerability test is an examination of a system for the purpose of identifying, defining, and ranking its vulnerabilities.
  • Black box testing treats the system being tested as completely opaque.
  • White box testing affords the auditor complete knowledge of the inner workings of the system even before the first scan is performed.
  • Gray box testing gives the auditor some, but not all, information about the internal workings of the system.
  • Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner.
  • A blind test is one in which the assessors only have publicly available data to work with and the network security staff is aware that the testing will occur.
  • A double-blind test (stealth assessment) is a blind test in which the network security staff is not notified that testing will occur.
  • War dialing allows attackers and administrators to dial large blocks of phone numbers in search of available modems.
  • A log review is the examination of system log files to detect security events or to verify the effectiveness of security controls.
  • Synthetic transactions are scripted events that mimic the behaviors of real users and allow security professionals to systematically test the performance of critical services.
  • A misuse case is a use case that includes threat actors and the tasks they want to perform on the system.
  • A code review is a systematic examination of the instructions that comprise a piece of software, performed by someone other than the author of that code.
  • Interface testing is the systematic evaluation of a given set of exchange points for data between systems and/or users.
  • Administrative controls are implemented primarily through policies or procedures.
  • Privileged user accounts pose significant risk to the organization and should be carefully managed and controlled.
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2021-03-06 ,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档