Penetration Testing
One error that companies often make is that they set up access controls and then test the access controls to make sure they are working properly. The problem with how companies approach this is that they usually test the positive but do not test the negative.
What I mean by that is that after they set up access controls, they test and make sure users can get to the resources they need to access. So, if Bob needs access to server A and C, they would test and see whether Bob could access both servers. If he could, they then conclude that the access controls have been set up properly. The problem with this is testing the negative—what else can Bob access? If Bob can also access server D, the company has given Bob too much access ...
Get CISSP Training Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
