5.5 Explain types and purposes of audits and assessments

  - Audits:
    - Involves the systematic evaluation of processes, controls, and compliance with established standards, policies, and regulations.
    - Ensures alignment of operations with defined requirements.
    - Identifies gaps and provides recommendations for improvement.
  - Assessments:
    - Evaluates the effectiveness and efficiency of various operational aspects such as cybersecurity, risk management, and internal controls.
    - Identifies vulnerabilities, assesses risks, and provides insights for enhancing security.
  - Common Objectives:
    - Maintain compliance.
    - Mitigate risks.
    - Continuously improve organizational security and performance.

Attestation and Assessments

  - Definition of Attestation:
    - Verification and validation of the accuracy, reliability, and effectiveness of security controls, systems, and processes.
    - Conducted by an independent and objective examiner (e.g., auditor, assessor).
  - Purpose and Importance:
    - Provides formal declarations of compliance with standards and regulations.
    - Offers assurance to stakeholders regarding the adequacy and effectiveness of an organization's security measures.
    - Mitigates risks while maintaining data confidentiality, integrity, and availability.

Internal and External Assessments

  - Overview:
    - Both internal and external assessments are essential for effective evaluation of systems, controls, and management processes.
  - Internal Assessments:
    - Conducted by the organization’s employees, providing in-depth insights into business processes.
    - Can be frequent and focused based on organizational needs.
    - Support continuous improvement and governance.
  - External Assessments:
    - Performed by independent third-party auditors with specialized expertise.
    - Offers impartial evaluations against industry standards.
    - Identifies areas for improvement often missed by internal audits.
  - Benefits of Combining Approaches:
    - Foster a comprehensive view of risk management.
    - Enhance monitoring, control validation, and compliance.
    - Build trust among stakeholders (customers, partners, regulators).
    - Facilitate knowledge sharing between internal and external teams to improve assessments.

Internal Assessments Approach

  - Compliance Assessment:
    - Evaluates alignment of operating practices with laws, regulations, and ethical standards.
    - Identifies noncompliance and risk areas, communicates findings to stakeholders.
  - Audit Committee:
    - Independent oversight of financial reporting, internal controls, and risk management.
    - Enhances integrity of financial statements and promotes transparency.
    - Composed of board members disconnected from management.
  - Self-Assessment:
    - Allows individuals or organizations to evaluate performance against set metrics.
    - Facilitates identification of strengths, weaknesses, and improvement areas.
    - Ensures personnel conducting assessments have the necessary expertise.

External Assessments Approach

  - Regulatory Assessments:
    - Conducted by regulatory agencies to ensure compliance with laws and standards.
    - Involves inspections and audits to verify adherence and identify deficiencies.
    - Protects public interests and maintains integrity in the market.
  - Examinations:
    - Independent evaluations of organizational practices focusing on accuracy and compliance.
    - Examples include financial statement audits and compliance audits.
  - External Assessments:
    - Broad evaluations providing independent insights into organizational performance.
    - Assess strategy, operational efficiency, risk management, and compliance practices.
  - Independent Third-Party Audit:
    - Provides unbiased assessments essential for stakeholder confidence.
    - Highlights organizational commitment to compliance and governance.

Penetration Testing

  - Definition:
    - Authorized hacking techniques used to discover exploitable weaknesses in security systems.
  - Steps in Penetration Testing:
    - Verify a Threat Exists: Identify system vulnerabilities using tools and social engineering.
    - Bypass Security Controls: Look for ways to attack systems, e.g., gaining physical access to execute malware.
    - Actively Test Security Controls: Probe for configuration weaknesses such as weak passwords.
    - Exploit Vulnerabilities: Confirm high-risk vulnerabilities by actively exploiting them to gain data access.
  - Difference from Passive Assessment: Penetration testing actively seeks to exploit weaknesses, unlike passive vulnerability assessments.

Reconnaissance Techniques in Penetration Testing

  - Active Reconnaissance:
    - Involves probing target systems to gather information by generating network traffic.
    - Aim: Discover target infrastructure and vulnerabilities.
  - Passive Reconnaissance:
    - Gathers information without direct interaction, focusing on publicly available data.
    - Techniques include monitoring traffic and collection of OSINT.
  - Combination of Techniques:
    - Effective tests use both active and passive reconnaissance for comprehensive information gathering.

Known, Partially Known, and Unknown Testing Methods

  - Factors Affecting Test Selection:
    - Knowledge of the target system, organizational risk appetite, and compliance requirements influence method choice.
    - Budget constraints may favor known environment testing, which requires fewer resources.
  - Objectives of Tests:
    - Known environment testing is for assessing known vulnerabilities.
    - Partially known or unknown tests are for discovering unknown vulnerabilities.

Penetration Testing Method Descriptions

  - Known Environment Testing:
    - Tester has detailed knowledge about target systems, including configurations and users.
  - Partially Known Environment Testing:
    - Limited target system knowledge; reconnaissance techniques employed for further information.
  - Unknown Environment Testing:
    - Tester has minimal information to simulate an unknown adversary scenario to identify vulnerabilities.

Types of Penetration Testing

  - Offensive Penetration Testing (Red Teaming):
    - Simulates real-world attacks to identify vulnerabilities.
    - Conducted by ethical cybersecurity professionals mirroring potential attackers' techniques.
  - Defensive Penetration Testing (Blue Teaming):
    - Evaluates effectiveness of security measures and incidents response.
  - Physical Penetration Testing:
    - Assesses physical security practices against vulnerabilities through real-world simulations.

Integrated and Continuous Penetration Testing

  - Integrated Penetration Testing:
    - Combines various methodologies for a comprehensive security assessment.
    - Identifies overlooked risks and represents true security posture.
  - Continuous Penetration Testing:
    - Focuses on ongoing identification of vulnerabilities, often utilizing automation for efficiency.
    - Particularly important in continuous integration and continuous deployment (CI/CD) environments.