Security Assessment and Testing MindMap (1 of 3) | CISSP Domain 6

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cissp exam we're going to go through a review of the major topics related to security assessment and testing in domain 6 to understand how they interrelate and to guide your studies this is the first of three videos for domain 6 I'm included links to the other mindmap videos in the description below these mind maps are one part of our complete cisp Master [Music] Class our systems are becoming ever more complex we are collecting more data Gathering more insights rapidly making decisions

these systems are integral to the success of the business what then is the purpose of security assessment and testing to ensure the security requirements and controls are defined tested and operating effectively to support the business in achieving its goals and objectives in today's world no business is going to be successful if they don't have systems that provide a sufficient degree of confidence potentiality integrity and availability when should security become involved in testing security assessment and testing covers the Gathering and validation of business requirements definition of controls development of new applications and systems the ongoing operation

and the eventual retirement and disposal of systems a good way to summarize it is that testing should be involved right from the start and throughout a good exam hint is that if you were ever asked when security should become involved in testing look for the earliest possible answer if the dawn of time is one of the answers it's probably the right answer we'll start this mind map with validation validation is all about Gathering business requirements to truly understand what the business needs and validating those requirements with the relevant stakeholders we cannot possibly perform any of

the testing we're going to talk about if we don't understand what the business needs verification is all about testing we perform once we start building the product the system we're verifying that the controls are properly designed and baked into the system we we can invest very little effort in testing or we can invest a lot of effort in testing what drives us to perform more testing to have a greater confidence that the system is working correctly the value of the system to the organization the more valuable the system the more effort we will invest in

testing to make sure the system is effectively supporting the business and achieving its goals and objectives software is complex and is often built by teams of people as such we can subdivide the development effort into different units unit testing is where we test individual units of software as they are developed to wildly oversimplify for an operating system we might have a unit of software that is responsible for keyboard input and another for Mouse input and another for video output unit testing would be testing each of these individual units separately units of software need to communicate

with each other they communicate through standardized interfaces interface testing verifies that communication between one or more units is working correctly once a few units are completed we can begin integration testing where we're testing groups of units together to make sure that they play nicely with each other and F once all the units are completed and we've done a bunch of integration testing we can begin the whole testing testing the entire system system testing there are various techniques that we can apply to perform our testing and note that these techniques can be mixed and matched together

to perform different types of tests that not mutually exclusive there are two main methods that we can use to perform testing manual testing is handson keyboard a person manually reading code or performing some action on a running program automated testing implies the use of automated tools software to test other software for example code scanning tools or vulnerability scanners runtime is all about whether the code is running or not static testing is testing A system that isn't running static testing is looking at code Dynamic testing means the software is running so you're testing a running system

fuzz testing is a form of dynamic testing it is essentially the idea that programmers are logical people they expect logical input and it provides logical output if you throw chaos at a system massive amounts of random data random input then you can identify all sorts of unexpected errors and vulnerabilities in code diving a little deeper into fuzz testing there are two types of fuzzers you should be familiar with mutation fuzzers are often referred to as dumb fuzzers as mutation fuzzers do not have an under any understanding of the input to data they are fuzzing mutation

fuzzers just randomly mutate some input data to a system with no understanding of the data structure generation fuzzers are often referred to as intelligent fuzzers as they have a basic understanding of the type of and structure of input expected by a system therefore generation fuzzers are often referred to as intelligent fuzzers as they have a basic understanding of the type and structure of input expected by a system and therefore a generation fuzzer can generate new chaotic input based on the type of input that's expected some testing involves access to the code and in other tests

you don't have access to the code but rather just the running system white box means you have access to the source code for your testing Black Box means you can't see the underlying source code you are testing a running application and the internal workings are a blackbox to you there are many techniques we can employ in software testing to name a few of the key ones positive testing is verifying that a system works as expected if you're testing a login mechanism the positive testing would be verifying that a correct username and password allows you to

log in negative testing is looking for normal and expected errors in a login mechanism you expect someone to enter the wrong password on occasion the negative testing would be verifying that an incorrect username and password is handled gracefully the system says you have you forgotten your password and doesn't just crash misuse testing is abusing the system as an attacker might testing for buffer overflows SQL injection vulnerabilities and that sort of thing decision table analysis is a software testing technique that can be used to test systems or behaviors for different input combinations essentially you create a

table that lists all the different input combinations and their corresponding behavior and this allows you to check all possible combinations and make sure you don't miss anything even in a complex application to table analysis is particularly useful for testing complex software and requirements management state-based analysis is particularly useful for testing software such as guy graphical user interfaces and Communications protocols like TCP the next two techniques are all about making testing more efficient by reducing the number of tests required while still achieving a require a requisite level of confidence in boundary value analysis testing is focused

on the boundaries put more simp simply you identify where there are changes in Behavior you call this a boundary and then you focus your testing on either side of the boundary and a more official definition is the test cases cover the extreme ends of the input values in equivalent partitioning inputs are divided partitioned into groups which exhibit the same behavior test cases are then written to cover each partition and here's a diagram to help you visualize the difference between these two techniques if we are asking for a password length of say 8 to 16 characters

then we have a boundary between seven and eight characters seven characters should be rejected and eight characters should be accepted and then another boundary between 16 and 17 characters so in boundary value analysis we would focus our testing on either side of this boundary in equivalence partitioning we identify three partitions and then do some testing within each partition operational is the testing we perform on systems that have been deployed and are in production real user monitoring rum is monitoring the system usage of real users monitoring user transactions in real time for usage performance and errors

synthetic performance monitoring is running scripted transactions to monitor functionality availability and response basically create little Bots or agents that simulate usage of a system synthetic performance monitoring is a good way to do load or stress testing on a system regression testing is performed after A change is made to a system to verify that previously test tested software continues to perform correctly after a change who can perform this testing internal testing implies a company's own employees testing their own software external testing implies a company hiring an independent external tester to test the company's software or external

can also mean a company sending their employees to a service provider or vendor to test the services being provided third party implies three parties are involved the customer the service provider and the independent third-party auditor the reports produced as part of thirdparty audits are often sock service organization controls reports a sock one report focuses on financial reporting risks as Security Professionals sock one reports aren't that interesting to us sock two reports focus on the five trust principles security availability confidentiality processing integrity and privacy the five trust principles are most definitely of interest to us as

Security Professionals just to make things confusing there are two types of sock one and sock 2 reports a type one report looks at the design of a control at a point in time essentially reviewing some paperwork on a Monday type two Reports look at the design and operating effectiveness of control over a period of time typically a year the Auditors are testing to see if a control was operating effectively over a year through sampling and other methods type two reports are way more useful a sock 3 report is a sanitized summarized version of a sock

2 for public distribution basically sock 3 reports are a marketing tool to summon up as Security Professionals we want sock two type two reports and here is a diagram depicting the three sock reports and type one and type two now let's talk about the different roles that may be involved in the audit and Assurance function executive management provides tone from the top and promote and fund the audit process the audit committee is composed of members of the board and Senior stakeholders who provide oversight to the audit program the security officer advises on security related risks

to be evaluated in the audit program the compliance manager manages the compliance program to ensure corporate compliance with applicable laws and regulations Professional Standards and comp company policy internal Auditors are company employees who provide assurance that corporate controls are operating effectively external Auditors provide unbiased and independent Assurance as they're independent the entity being audited as part of security assessment and testing it is important to Define metrics to measure what matters how do you decide what metrics to focus on it should always be tied back to the business goals and objectives if you understand what the

business is trying to achieve you can create metrics that demonstrate if progress is being made in that direction two specific types of metrics you can use are kpis and Kris kpis key performance indicators are backward-looking metrics kpis indicate the achievement of performance goals performance targets haris key risk indicators are forward looking metrics they indicate the level of exposure to operational risk they help to monitor potential future shifts in Risk conditions or new emerging risks and that is an overview of security assessment and testing in and that is an overview of security assessment and testing within

domain 6 covering the most critical Concepts you need to know for the exam a really cool feature we recently added to our currently free cisp app is a simple personalized schedule just enter in the app when you plan to start studying and when you plan to take the exam and the app will automatically tell you how many practice questions and flas cards you should study each day and it makes it super easy to track your progress It's a simplistic version of the advanced personalized schedule from our cisp Master Class links to download are free did

I mention it's free app are in the description [Music] below