2.4 - Assessment Types

 2.4 - Assessment types 

 

Key Terms 

    • Payment Card Industry Data Security Standards (PCI-DSS) - The security standards organisations that hold card information must abide by. 
    • Health Insurance Portability and Accountability Act (HIPAA) - The security standards that keep health related information private from the public. 
    • ISO/IEC 27001 – A set of processes and requirements for an organisation’s information security management systems. 
    • Sarbanes Oxley Act (SOX) - Federal regulations that attempt to increase transparency in corporate governance and financial reporting. 
    • Digital Millennium Copyright Act (DMCA) - Federal regulations designed to protect copyrighted works. 
    • Federal Information Security Management Act (FISMA) - Federal regulations that define how government data, operations, and assets are handled. 

 

Purpose of a Penetration Test 

    • Goal-based testing – This test focuses on the end results. The goals are specific but the methods of achieving them are determined by the ethical hackers. A penetration tester should use a wide range of techniques to achieve those goals. Goals should be defined within the compliance of S.M.A.R.T targets. Goals should be realistic and relevant to the test. 
    • Objective-based testing – This test focuses on the overall security of the organisation. The scope of work defines the depth of the test and which objectives the ethical hacker must work towards. If there is a specific part of the organisation, they are worried about, the hacker will be specifically thorough with that part of the examination. 
    • Compliance-based testing – This test is solely to analyse if a company is in compliance with the laws and regulations in that country. This includes the PCI-DSS, HIPAA, ISO/IEC 27001, SOX, DMCA, and FISMA. These regulations do have some limitations. For example, they are often based on outdated password policies and are updated irregularly. The regulations are sometimes also too detailed which can limit security management options. 

 

Merging 

When companies decide to merge or in a company takeover, there must be a combination of systems, policies and regulations. This can often result in a penetration test being needed. In most cases, the company will need to check compatibility between networking systems, physical security, data security, and company culture. These tests identify differences in the 2 companies which, if left unattended, could lead to vulnerabilities. During the test, things could also be revealed that can cause merges or takeovers to fail which may just save a company in the long term. 

 

Supply Chain 

This is when one company needs to transfer materials to another. By creating a supply chain, a business must consider if there are correct connections between the 2 companies, how effective their security is and, if there are any regulations they need to abide by. 

 

Security Teams 

    • Blue teams focus on defensive security. They are responsible for implementing policies and addressing vulnerabilities. 
    • Red teams work against the blue team to test the security of an organisation and find vulnerabilities. The red teams consist of ethical hackers. 
    • Purple teams are pipelines between blue and red teams. However, the purple team can also be offensive and defensive at times. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more