Types of Security Tests
Objective:
State security testing methodologies
Several different types of security tests can be performed. These can range from those that merely examine policy to those that attempt to hack in from the Internet and mimic the activities of true hackers. These security tests are also known by many names, including
Vulnerability Testing
Network Evaluations
Red Team Exercises
Penetration Testing
Host Vulnerability Assessment
Vulnerability Assessment
Ethical Hacking
No matter what the security test is called, it is carried out to make a systematic examination of an organization’s network, policies, and security controls. Its purpose is to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of potential security measures, and confirm the adequacy of such measures after implementation. Security tests can be defined as one of three types, which include highlevel assessments, network evaluations, and penetration tests. Each is described as follows:
High-level assessments
Also called a level I assessment, it is a top-down look at the organization’s policies, procedures, and guidelines. This type of vulnerability assessment does not include any hands-on testing. The purpose of a top-down assessment is to answer three questions: Do the applicable policies exist?Are they being followed?
Is there content sufficient to guard against potential risk?
Network evaluations
Also called a level II assessment, it has all the elements specified in a level I assessment plus includes hands-on activities. These hands-on activities would include information gathering, scanning, vulnerability assessment scanning, and other hands-on activities. Throughout this book, tools and techniques used to perform this type of assessment are discussed.Penetration tests
Unlike assessments and evaluations, penetration tests are adversarial in nature. Penetration tests are also referred to as level III assessments. These events typically take on an adversarial role and look to see what the outsider can access and control. Penetration tests are less concerned with policies and procedures and are more focused on finding low hanging fruit and seeing what a hacker can accomplish on this network.NOTE
Just remember that penetration tests are not fully effective if an organization does not have the policies and procedures in place to control security. Without adequate policies and procedures, it’s almost impossible to implement real security. Documented controls are required.
How do ethical hackers play a role in these tests? That’s the topic of the next section.
Please try to comment if i have done well or if you have finished learning from the blog
EmoticonEmoticon