5.5 - CompTIA Security+

Attestation

  • Attestation: The opinion of truth/conclusion that is associated with an audit.

Internal

Compliance

Audit committee

  • Audit committee: A group that is responsible for all of the risk management associated with an organization, and both starting/stopping any internal audits.

Self-assessments

  • Self-assessments: Allows an organization to look at its internal processes and procedures and see how well they match the requirements for the organization.

External

Regulatory

Examinations

Assessment

Independent third-party audit

Penetration testing

Physical

  • Physical penetration test: Pentest that involves attackers attempting to gain access to the physical facility/devices.

Offensive

  • Offensive penetration test: A test designed to evaluate the effectiveness of security controls in preventing unauthorized access and manipulation of systems, often simulating real-world attacks to identify vulnerabilities.

Defensive

  • Defensive penetration test: Refers to the defensive/blue team that identifies attacks coming in real time and blocks the attacks from occurring.

Integrated

  • Integrated penetration test: A holistic approach that combines different types of penetration testing methodologies and techniques to evaluate an organization's security operations. Often combines defensive and offensive pentesting.

Known environment

  • Known environment pentesting: A penetration test where the tester has detailed knowledge about the target system or network, including information about the network architecture, hardware, and software configurations, system vulnerabilities, and users.

Partially known environment

  • Partially known environment pentesting: A penetration test where the attacker possesses limited knowledge about the target system or network, and may employ reconnaissance techniques to gather additional information.

Unknown environment

  • Unknown environment pentesting: A penetration test where the tester has little prior knowledge about the target system or network. Aims to mimic an attack from an unknown entity and discover potential vulnerabilities.

Reconnaissance

Passive

  • Passive reconnaissance: Penetration testing/information gathering techniques that do not interact with target systems directly (e.g., OSINT, network traffic monitoring/taps).

Active

  • Active reconnaissance: Penetration testing/information gathering techniques that interact with target systems directly (e.g., port scanning, DNS enumeration).