ITEC 100 - WEEK 13-14

-ensures systems and applications are free from vulnerabilities.

-Helps protect data, maintain privacy, and ensure business continuity.

-Part of a broader cybersecurity framework.

Security Testing

The process of identifying and analyzing

system and network weaknesses to evaluate

an organization's overall security posture. It

involves scanning for vulnerabilities,

misconfigurations, and compliance issues.

SECURITY SCANNING

Identifies active devices, open ports, and services.

Network Scanning

Looks for flaws in web or desktop applications.

Application Scanning

Automated process that identifies

known vulnerabilities in systems,

networks, or applications giving the list

of vulnerabilities with severity levels.

VULNERABILITY SCANNING

popular scanner for identifying vulnerabilities, misconfigurations, and

compliance issues.

Nessus

open-source tool that detects security issues in servers and network

services.

OpenVAS

cloud-based scanner that provides continuous vulnerability detection

and compliance.

Qualys

real-time vulnerability management tool with risk scoring and integration.

Nexpose (by Rapid7)

web vulnerability scanner focused on detecting flaws in websites and

web applications.

Acunetix

command-line tool that scans web servers for dangerous files, outdated

software, and configuration issues.

Nikto

primarily for web app testing; includes scanner in the Pro version to find security bugs.

Burp Suite (Community/Pro)

also known as a

"pen test," is a type of security

assessment that simulates a

cyberattack perform by ethical hackers

in order to identify weaknesses in a

computer system.

PENETRATION TESTING

Tester has no prior

knowledge of the

system; simulates an

external attacker.

BLACK BOX TESTING

Tester has full access

to source code,

architecture, and

credentials; simulates

an insider or developer.

WHITE BOX TESTING

Tester has partial

knowledge (e.g., user

credentials or system

overview); simulates an

authenticated or semi-

informed attacker.

GRAY BOX TESTING

collaborating with key

stakeholders to pinpoint critical

systems, data, and resources

that must be protected within

the assessment scope.

IDENTIFY ASSETS

analyzing technical, physical, and

procedural weaknesses that could

expose assets to potential attacks

or failures.

IDENTIFY THREATS AND VULNERABILITIES

evaluating how severe the

consequences of a threat could

be and how probable it is to

occur.

ASSESS IMPACT AND LIKELIHOOD

ranking them based on impact,

likelihood, and urgency using a risk

matrix, focusing on high-priority

threats to ensure timely and effective

risk management.

PRIORITIZE RISK

proposing appropriate security measures to

mitigate identified risks, reduce

their impact or likelihood, and align

with the organization's risk

tolerance and objectives.

Recommend controls

It is a systematic and formal evaluation of an

organization's information systems, policies,

and controls to ensure they meet internal

standards and external regulations.

SECURITY AUDITING

Verifies adherence to industry standards and legal requirements

(e.g., ISO 27001, HIPAA, PCI-DSS).

Compliance

Checks if internal security policies are being properly

implemented and followed.

Policy Enforcement

Evaluates how data access is managed, ensuring only

authorized users have appropriate access.

Access Controls

Conducted by in-house staff to

assess ongoing compliance

and identify internal

weaknesses.

INTERNAL AUDIT

Performed by third-party experts

to provide an objective

evaluation, often required for

certification or regulation.

EXTERNAL AUDIT