Читать книгу CompTIA PenTest+ Certification For Dummies - Glen E. Clarke - Страница 24
Types of assessments
ОглавлениеThe CompTIA PenTest+ certification objectives reference some key terms in regard to the different types of assessments that can be performed. The following are some common types of pentest assessments:
Goals-based/objectives-based: This type of assessment is focused on a specific purpose. For example, you may have installed a new server or piece of software and want to test that specific asset for security flaws. Some examples of goals for goal-based assessments is the company may want to assess the security of only the wireless network, or maybe only perform social engineering attacks to test the effectiveness of the security education program with the employees. Another common goal may be simply to test the security of a public web site or web application.
Compliance-based: A compliance-based assessment is an assessment that is driven by standards and regulations. With compliance-based assessments, you must follow a standard assessment methodology such as the National Institute of Standards and Technology’s (NIST’s) SP800-15 series of guidelines or the PCI DSS from the PCI Security Standards Council.
Red team/blue team: The term red team refers to the internal team of professionals performing a penetration test acting as hackers. With a red team test you are not as focused on reporting and remediation steps after the fact; you are more focused on trying to bypass security controls and determining how your security team will respond to the attack. The security team responsible for defending against attacks is known as the blue team.