There are several ways to conduct security evaluation.
- Remote network
This simulates the intruder launching an attack across the internet. The primary defense that must be defeated here are border firewall, filtering routers etc. - Remote dial-up network
This simulates the intruder launching an attack against the organization's modem pools. The primary defense that must be defeated here are user authentication scheme. - Local network
This simulates an employee or other authorized person who have legal/authorized connection to the organization network. The primary defense must be defeated here are intranet firewall, intranet web server and server security measures. - Stolen equipment
This is to test how user protection their information assets. For example, if a stolen laptop has stored password or critical information that can be easily accessed, this can a security breach. Attacker may remote dial up to the main server of the organization with proper authentication. - Social engineering
This test evaluate the integrity and awareness of the target organization's personnel. A typical quoted example of social engineering is that of an intruder calling the computer help line and asking for the external telephone number of the modem pool. Defense against this kind of attack is the hardest because people and personalities are involved. To be of assistance come naturally in organizations gearing more toward a service orientation and this may inadvertently lead to security compromise. Often see scenario include telling someone who appears to be lost where the computer room located, or let someone into the building who does not have proper identification credentials. The only defense against this is to raise the security awareness. - Physical entry
This test acts out the physical penetration of the organization's building. The primary defense here are strong security policy, security guard, access control and monitoring and security awareness.
沒有留言:
張貼留言