Security Assessment Types

Security assessment types

Welcome back, my novice hackers!

Vulnerability Assessment:

A vulnerability assessment is a technical assessment designed to yield as many vulnerabilities as possible in an environment, along with severity and remediation priority information.

Penetration Test:

A Penetration Test is a technical assessment designed to achieve a specific goal, e.g., to steal customer data, to gain domain administrator, or to modify sensitive salary information.

Red Team Assessment:

A Red Team “assessment” is something of a misnomer in the corporate context since corporate Red Team services should ideally be continuous rather than point-in-time. So it should ideally be more of a service than an assessment. But regardless of that distinction, the central purpose of a corporate Red Team is to improve the quality of the corporate information security defenses, which, if one exists, would be the company’s Blue Team. In fact, that’s what a lowercase “red team” is: an independent group that challenges an organization to improve its effectiveness. In the case of corporate Red Teams, the org they’re improving is the Blue Team.

Audit:

An audit can be technical and/or documentation-based, and focuses on how an existing configuration compares to a desired standard. This is an important point. It doesn’t prove or validate security; it validates conformance with a given perspective on what security means. These two things should not be confused.

White/Grey/Black-box Assessment:

The white/grey/black assessment parlance is used to indicate how much internal information a tester will get to know or use during a given technical assessment. The levels map light to internal transparency, so a  is where the tester has full access to all internal information available, such as network diagrams, source code, etc. A  is the next level of opacity down from white, meaning that the tester has some information but not all. The amount varies. A —as you’re hopefully guessing—is an assessment where the tester has zero internal knowledge about the environment, i.e. it’s performed from the attacker perspective.

    white-box assessment

    grey-box assessment

    black-box assessment

Risk Assessment:

Risk Assessments, like threat models, are extremely broad in both how they’re understood and how they’re carried out. At the highest level, a risk assessment should involve determining what the current level of acceptable risk is, measuring the current risk level, and then determining what can be done to bring these two in line where there are mismatches. Risk Assessments commonly involve the rating of risks in two dimensions: probability, and impact, and both quantitative and qualitative models are used. In many ways, risk assessments and threat modeling are similar exercises, as the goal of each is to determine a course of action that will bring risk to an acceptable level.

Threat Assessment:

 A threat assessment is a type of security review that’s somewhat different than the others mentioned. In general it pertains more to physical attacks than technology, but the lines are blurring. The primary focus of a threat assessment is to determine whether a threat (think bomb threat or violence threat) that was made, or that was detected some other way, is credible. The driver for the assessment is to determine how many resources—if any—should be spent on addressing the issue in question.

Bug Bounty:

A Bug Bounty is a type of technical security assessment that leverages crowdsourcing to find vulnerabilities in a system. The central concept is simple: security testers, regardless of quality, have their own set of strengths, weaknesses, experiences, biases, and preferences, and these combine to yield different findings for the same system when tested by different people. In other words, you can give 100 experienced security testers the exact same testing methodology and they’re likely to find widely different vulnerabilities. The bug bounty concept is to embrace this difference instead of fighting it by harnessing multiple testers on a single assessment.

---------Thank You For Given Your Time---------