Page 1040 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1040

many APTs sponsored by foreign nation states.

               Focused on Software If an organization develops software, it can
               consider potential threats against the software. While organizations

               didn’t commonly develop their own software years ago, it’s common to
               do so today. Specifically, most organizations have a web presence, and
               many create their own websites. Fancy websites attract more traffic,
               but they also require more sophisticated programming and present
               additional threats. Chapter 21, “Malicious Code and Application

               Attacks,” covers application attacks and web application security.


               Identifying Vulnerabilities

               After identifying valuable assets and potential threats, an organization
               will perform vulnerability analysis. In other words, it attempts to
               discover weaknesses in these systems against potential threats. In the
               context of access control, vulnerability analysis attempts to identify

               the strengths and weaknesses of the different access control
               mechanisms and the potential of a threat to exploit a weakness.

               Vulnerability analysis is an ongoing process and can include both
               technical and administrative steps. In larger organizations, specific
               individuals may be doing vulnerability analysis as a full-time job. They
               regularly perform vulnerability scans, looking for a wide variety of

               vulnerabilities, and report the results. In smaller organizations, a
               network administrator may run vulnerability scans on a periodic basis,
               such as once a week or once a month.

               A risk analysis will often include a vulnerability analysis by evaluating
               systems and the environment against known threats and
               vulnerabilities, followed by a penetration test to exploit vulnerabilities.
               Chapter 16, “Managing Security Operations,” provides more details on

               using vulnerability scans and vulnerability assessments as part of
               overall vulnerability management.


               Common Access Control Attacks

               Access control attacks attempt to bypass or circumvent access control
               methods. As mentioned in Chapter 13, access control starts with

               identification and authorization, and access control attacks often try to
   1035   1036   1037   1038   1039   1040   1041   1042   1043   1044   1045