Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our Assessing Security Controls Module. There are several methods you can use to test the effectiveness of your security controls. One method is vulnerability or weakness assessment. Here, we use various tools to determine what our weak areas are, and also determine if there are any risks that we need to address.
We wanna determine the quantity of issues, the types of issues, and also how bad these issues are. Nessus is a good automated scanner that can be used to perform some vulnerability assessment in the organization. Penetration tests are authorized attacks on your network to determine if there are any weaknesses that might be able to be exploited.
The techniques used by penetration testers are usually similar to those that would be used by actual attackers. The big difference with penetration testing is once a vulnerability is discovered, they attempt to exploit that vulnerability and gain access to your network or systems. With vulnerability assessments, we are just determining that a vulnerability exists, but we are not taking advantage of the vulnerability.
For the CISSP exam, you will want to be familiar with the differences between penetration testing and vulnerability testing. The goal of penetration testing is really to discovery your organization's ability to withstand an attack from an external or internal threat. Vulnerability assessment and penetration testing are often combined to get a complete picture of your organization's security posture.
Vulnerability assessments are generally conducted by your internal employees and are used to find vulnerabilities. Penetration testing is generally conducted by outside entities. One of the benefits of penetration testing is the ability to determine if your employees are able to detect the attack. And also determine if your incidence response plan is working correctly when the attack occurs to make sure that your employees are responding appropriately.
With vulnerability assessments we are conducting ongoing structured evaluations of our security controls. The goal is really to reduce our threats to a level that we deem to be acceptable. We're looking for bugs or any weaknesses that could affect our confidentiality, integrity and availability. We generally use automated tools to conduct our vulnerability assessments, and we can configure our systems based on our policies but it's important to make sure that we audit to ensure that we have compliance and that the policies are being followed.
It's very important to make sure that we're doing a proper patch management in updating our systems to remove any vulnerabilities and one method that's used to analyze software for vulnerabilities is called fuzzing. And fuzzing is a term that you may see on the CISSP exam. An OVAL, or the Open Vulnerability and Assessment Language, is an XML standard, which is used to report vulnerabilities. When we talk about penetration testing, this is generally a team of professionals that will launch attacks on your system or your network or perhaps on a program that you've designed to determine where you can improve your security. You always must have proper written approval before conducting any penetration testing.
One of the most important reasons is because many penetration testing activities are criminal unless you have consent of the system operator. So you want that consent to be in writing. Also, there is a possibility of damage to systems or systems going offline during penetration testing, so a contract needs to be in place to prevent any liability for the penetration testing organization.
There's three different types of penetration testing. The penetration testing listed here increases in sophistication and cost as we move down this list. The least expensive penetration testing is white box testing. Here, the attackers have full knowledge of your network or your system that is to be tested. With a gray box methodology, the attackers may have limited knowledge.
This is usually used because it's less expensive than black box testing, but it is more sophisticated than white box testing. And black box testing is more of a real world situation, where the attackers have absolutely no knowledge of the organization's systems or security procedures. And they have to approach it as a hacker, and start from scratch and attempt to perform their reconnaissance and then attack the system.
And black box testing is the most expensive method of testing. Some organizations will also have internal testing, certification and accreditation processes. These procedures are used to determine if a system is suitable to operate in a target environment. The certification process is where we test the system against a certain set of evaluation criteria in an operating environment.
In the NIST or National Institute of Standards and Technology, Risk Management Framework this is called assessing security controls. The accreditation process is the official Initial decision by a member of management to actually operate the system. The newer term for accreditation from the NIST Risk Management Framework is authorizing the information system, which is step five.
On the CISSP exam you will most likely see questions that ask you the difference between certification and accreditation. You want to remember that we are not permitted to operate a system until it has been accredited. Just because a system is certified does not mean that we have the authority to operate it.
This concludes our Assessing Security Controls Module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!