Miscellaneous

  • Job Rotation, rotating different subjects to perform a task to spot if someone is doing something wrong
  • Lease Privilege, just the access the subjects needs for a job
  • Mandator vacations, chance to audit your job function
  • Clipping level, threshold see things above or below that
  • Operational assurance is the check that all elements operate in a way that validates security
  • Lifecycle assurance is the check that security is operating as it should throughout the lifetime
  • Asset management, what are the assets a company has
  • Trusted Recovery Methods (System reboot, system cold start, emergency system restart)
  • What to do after a system crash (Enter save mode, fix issues, recover files, validate critical files)
  • System Hardening (Bastion Host, Hardened Host, No unnecessary services)
  • Remote Access Security (AAA, RADIUS, Cloud Access)
  • Configuration Management (Document and Manage Configuration)
  • Change Management (See ITIL)
  • Media Control (Sanatization, Purgin)
  • Network and Resource Availibility (Redundant Hardware, Fault Tolerance, MTBF (Mean Time Between Failures), MTTR (Mean Time to Repair), SPOF (Single Point of Falure))
  • RAID Types
  • MAID (Massiv Array of inactive disks)
  • RAIT (Redundant array of independent tapes)
  • SAN
  • NAS
  • Clustering
  • Grid Computing
  • EMail
  • Attack Types

Vulnerability Testing

Penetration Testing

  • Discovery
  • Enumeration
  • Vulnerability Mapping
  • Exploitation
  • Report to Management

Knowledge Levels

  • Zero knowledge (Black Box Testing)
  • Partial knowledge (Gray Box Testing)
  • Full knowledge (White Box Testing)

Vulnerability Types

  • Kernel Flaw
  • Buffer Overflow
  • Symbolic Links
  • File Description Attacks
  • Race Condition
  • Directory Permission