Please enable JavaScript.

Coggle requires JavaScript to display documents.

Domain 6 - Coggle Diagram

- - - - no to low tech method to exploit humans
    - - Utilizing tech to automatically dial many phone numbers to find weak spots in IT sec.
    - - Exploit that gives attacker powerful control over a system
        
        Fixed with security patches
    - - Poor programming allows more input than the program has allocated space for overwriting data or memory and sometimes allowing the attacker to inject code.
        
        Good programming practices, code scanners, languages that disallow buffer overflows
    - - Utilizing a stub file (common in unix/linux) that may allow attackers to gain unauthorized access
        
        Programs/scripts written to ensure full path to file cannot be circumvented
    - - Bad program design that allows vulnerable conditions to occur such as opening temp files without first ensuring the files cannot be read or written to
        
        Good programming practices
  - - - network diagrams, policies, procedures, reports from previous pen tests
    - - Middle ground between the other two
    - - Blind. No external or trusted information (publicly available knowledge only).
    - - Black box test but security staff are aware the test is taking place
    - - black box test, but the security staff do not know the test is taking place
- - - - Generally used to audit a partner
      - Target was breached due to partner security issues
    - - Pros
        
        Likely have experience auditing many different system types
        
        No conflicts of interest
      - Cons
        
        Cost
        
        Require strict contracts and non-disclosure agreements
    - - Pros
        
        High knowledge of environment
        
        More agile
      - Cons
        
        Limited exposure to other approaches to securing/exploiting systems
        
        Conflict of interest
    - - Required to do third-party audits by certain regulatory agencies such as Sarbanes-Oxley
- - - - Passive test while code is not running
        
        Raw source code looking for known insecure practices
    - - Executes code while testing
    - - Submits random, malformed data as inputs into software to determine if it will crash
        
        Typically automated
        
        A crash from this may suffer from boundary-checking issues and buffer overflows
    - - Testing all unique combinations of inputs
        
        Pairwise testing tests combinations of inputs against different pairs of inputs
  - - - Testing as software is installed and first operated
    - - Testing multiple components as they are combined into a working system
    - - Testing after updates/modifications
    - - Low level test of software components
    - - Ensuring software meets customer's operational requirements (done by customer)