Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Let’s consider the following.
- Red Teams in Security Testing
| Consider This Assumptions, bias, misunderstandings, and disbelief have a considerable impact on the security failures of an environment. An unbiased Red Team helps measure the gap between "what is" and "what should be" to get to the truth of security operations as a whole. Let’s consider the following. During early red team scenario planning, an organization's security leadership describes who has access to their accounting systems. They say, "5 people in accounting have access to the accounting system. In their minds, this is what "Is." When planning a threat scenario, you must think this is what "Should Be." This scenario is the perfect opportunity fora Red Team to validate assumptions in a professional and unbiased approach. The goal is not to prove that you can 'hack' into the system but to understand what "Is" vs. "Should Be." Another way to describe this: Is – The actual truth about the security stance of an organization. (E.g., 20 People have access to the sensitive accounting system.) Should be – The perceived security stance of an organization. (E.g., only 5 people in accounting can access the sensitive accounting system.) Challenging assumptions is a fundamental concept of red teaming. Red Teams in Security Testing Vulnerability assessment, penetration testing, and Red Teaming are commonly (yet erroneously) used interchangeably and fall under the general category of ethical hacking. This classification maybe adequate for high-level conversations about security, but distinctions must be made. Security professionals and clients of security services will continue to blur the lines between these assessment types if differences are not made. We do ourselves a disservice by loosely defining terms. This hurts the security industry and the professionals themselves. This is more reason to level set definitions and come to a common understanding. Misunderstanding of assessment types has led to low-quality assessments claiming to be high-end. Terms must be defined early in an engagement to set expectations and deliver the service a client need. Download 4.62 Mb. Share with your friends:
|