Section 13: Audit and Assessments

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/21

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

22 Terms

1
New cards

internal vs external audits

internal audits are conducted by the organization’s own team while external is performed by third party entities

2
New cards

internal assessment

in depth analysis to identify and assess potential risks and vulnerabilities in an organization’s IS

3
New cards

Minnesota Counties intergovernmental Trust (MCIT)

created a checklist to help members reduce data and cyber security risks by indentifying and addressing vulnerabilities

4
New cards

cyber-security self-assessment

help organizations identify and strengthen daya security areas internally

  • checklist

5
New cards

external assessment

detailed analysis conducted by independent entitites to identify vulnerabilities and risks

6
New cards

types of penetration testing

  1. physical

  2. offensive

  3. defensive

  4. integrated

7
New cards

physical pentesting

testing an organizations physical security through testing locks, access cards, security cameras and other protective measures

8
New cards

offensive pentesting (red teaming)

actively seeks vulnerabilities and attempts to exploit them. models a real cyber attack

9
New cards

defensive pentesting (blue teaming)

reactive apprach focused on strengthening systems, detecting and responding to attacks

  • monitors for unusual activity and improved incident response times

10
New cards

integrated pentesting (purple teaming)

combination of offensive and defensive pentesting

  • red + blue = purple teaming

11
New cards

reconnaissance

an initial phase where critical information about a target system is gathered to enhance an attack’s effectiveness and success

12
New cards

active reconnaissance

direct engagement with the target system, offering more infomation but with a higher detection risk

13
New cards

passive reconnaissance

gathering information without direct engagement with the target system, offering lower detection risk but less data

14
New cards

known environment

detailed target infrastructure information from the organization is received prior to the pentest

  • may not need to conduct reconnaissance

15
New cards

partially known environment

involves limited information provided to testers, who may have partial knowledge of the system

  • pentest uncovers hidden or forgotten assets that might be vulnerable

16
New cards

unknown environment

testers receive minimal to no information about the target system

  • aims to micmic an external attacker with limited knowledge

17
New cards

metasploit

multi-purpose computer security and penetration testing framework that encompasses a wide array of powerful tools, enabling the execution of pentests

18
New cards

attestation

process that involves the formal validation or confirmation provided by an entity that is used to assert the accuracy and authenticity of specific information

19
New cards

types of attestation

  • software

  • hardware

  • system

20
New cards

software attestation

validating the integrity of software by checking that it hasnt been tampered with or altered maliciously

21
New cards

hardware attestation

validating the integrity of hardware components

22
New cards

system attestation

validating the security posture of a system