Security Essentials, Textbook page 77

Copyright Goodheart-Willcox Co., Inc. 77 Chapter 3 Security Evaluation Rather than work alone, penetration testers often work in teams. The four main types of teams include red, blue, white, and purple teams. ■ ■ Red teams are offensive security professionals. They are the individuals who attempt to break into the systems. Red team members will simulate attacks against the network. ■ ■ Blue teams are the defensive security professionals. The blue teams respond to network threats and are responsible for the security and defenses of the network. ■ ■ White teams set the rules of engagement since they oversee the exercises designed to test the strength and defense of the business. They do not conduct any testing or provide defensive measures. ■ ■ Purple teams represent the blending of red and blue teams and enhance information sharing between the teams to maximize each team’s respective and combined effectiveness. However, purple teams are not needed if effective communication happens organically between red and blue teams. Testing Authorization Pen tests are usually conducted by an outside firm rather than internal personnel. Since outside resources are used, an organization should sign a penetration testing authorization with the contractor. In addition, the contractor should sign a nondis- closure agreement. Penetration Testing Authorization Penetration testing authorization is permission given by a company or organiza- tion to another party to access or hack a system in an effort to determine how sus- ceptible the system is to unauthorized access or penetration. There are a number of reasons for seeking authorization before conducting an assessment including the following:■ ■■ Authorization provides legal permission to conduct the assessment. ■ Authorization gives approval to conduct an assessment and limits the legal responsibilities of the tester should an outage or disruption in connectivity occur. In addition to pen testing and vulnerability testing authorization, written permis- sion may be required for third-party vendors, such as Microsoft. The tester is respon- sible for obtaining and following the policies of each third-party vendor involved. For example, if assets are stored on a cloud, the tester must obtain permission from the cloud vendor, such as Microsoft, Amazon, or Rackspace. Nondisclosure Agreement (NDA) An organization may also consider asking a pen tester to sign a nondisclosure agree- ment. A nondisclosure agreement (NDA) is a legal contract between two parties that restricts the signing party from distributing or sharing confidential information to anyone outside of the agreement. By requesting an NDA, an organization is assured that information uncovered during the test will not be distributed to anyone outside of the company. 1.8

Previous Page Next Page

Security Essentials, Textbook Page 77 (91 of 704)

Help