Your company outsourced the penetration testing project to an external party conducting ethical hacking. The project, as a black box, is conducted in secret. Which of the following is least likely to entail penetration testing?
A. Patch management
B. Risk assessment
C. Security control assessment
D. Threat modeling
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Threat modeling.
Threat modeling is typically conducted in software or system engineering. It relies on reviewing designs, presented as diagrams, to identify attack vectors and calculate the attack surface. The data flow and input/output interface are the major sources of vulnerabilities and subject to attacks. System architecture, network architecture, data flow, etc. are examples of diagrams commonly reviewed. In light of this, threat modeling is a white box.
Penetration testing is one form of testing, one of the typical assessment methods (interviewing, examination, and testing). Pentesting can be part of risk assessment for risk identification or security control assessment for validating the effectiveness of security controls.
Patch management program typically involves risk management to identify, validate, and prioritize vulnerabilities for patches. The following is a patch management reference model from SANS:
- Establish Importance
- Define Scope
- High Level Policy
- Establish Security Organization
- Identify & Classify (assets)
- Identify & Classify Risks
- Plan for Risk Management
- Implement Risk Mitigation Strategy
- Statement of Applicability
- Training & Security Awareness
- Monitor & Review
- Maintain & Improve
Penetration testing can be conducted as a Blackbox and in secret (double-blinded) in the contexts introduced above, risk assessment, security control assessment, and patch management.