Information Security Terminology - Glossary
In opposite to the medical or chemical discipline, technology has no common terminology within the fields of practice. Information Security lacks a standard in terms and definitions as well, which can create confusion, uncertainty and doubt. Let’s change that, one term at a time.
A Penetration Test is a testing scenario to model actions of present threats to discover and exploit vulnerabilities in a controlled fashion. The results of the Penetration Test have to include the reporting of present Business Risks as well as recommendations of appropriate defenses, that can be integrated into the Operations of the target organization.
In opposite to a Vulnerability Assessment a Penetration Test aims to exploit the target systems.
Other spellings: Pentest, Pen Testing, Pen-test…
Red Teaming involves similar activities associated with a Penetration Test. It’s about mounting an attack against (internal or external) targets or target organizations.
The goal of Red Teaming is to determine whether the defensive (Blue Team’s) detection and response policies and procedures are effective. Red Teaming is meant to improve the Blue Team’s capabilities.
Types of Penetration Tests
Some types of Penetration tests are:
- Network Surface Penetration Test - the most common scenario
- Client-Side Penetration Test - the most important scenario for Enterprise Security
- Web-Application Penetration Test
- Social Engineering Engagement Penetration Test
- Wireless Security Penetration Test
- Physical Security Exploration and Penetration Test
- Product Security Penetration Test - to limit risk exposure for new technology
- Compliance-Focused Penetration Test (PCI DSS e.g.)
A Penetration Test focuses on breaking into a target organization and to exfiltrate the data in a covert manor. Red Teaming is proportionally covert, to improve the Blue Team. In a Vulnerability Assessment target systems do not get exploited.
A Vulnerability Assessment focuses on finding security vulnerabilities, which may or may not be used to steal data. The assessments have a broader scope and may include explicit policy and procedure reviews.
Security Audits test information or IT security aspects against a rigorous set of standards or benchmarks. These audits are usually being conducted with detailed checklists.
If the policy and procedure review is a primary concern, we speak of a Security Audit. If finding vulnerabilities, and rating them is a primary concern, we speak of a Vulnerability Assessment.
Risk has two components: Impact and Likelihood… These two components get weighted depending on credibility and magnitude.
In technical Information Security a Risk is the overlap between a Threat and a Vulnerability. This definition is most present during a Penetration Test.
Qualitative Risk Assessment
Quantitative Risk Assessment
Agent or Actor, that can cause harm.
Flaw someone can exploit to cause harm; via manual or automated means.
25.09.2017 - initial definitions
26.09.2017 - added Red Teaming, and more infos