apiperCIS
commented
5 years ago Inputs 1) List of penetration tests and Red Team attacks and associated elements that are not typically tested in production (i.e. SCADA systems) 2) Description of test bed(s) that have been setup to mimic these production environments
Operations 1) For each penetration test and Red Team attack in Input 1, manually review the Inputs to see that there is at least one appropriate test bed in Input 2 to cover that test or attack. Those tests/attacks that have at least one matching test bed will be included in list M1, while those that do not have a matching test bed will be included in list M2
Measures M1: List of penetration tests and Red Team attacks that have at least one matching test bed M2: List of penetration tests and Red Team attacks that do not have at least one matching test bed M3: Count of tests/attacks that do have a matching test bed (count of M1) M4: Total count of tests/attacks in Input 1
Metrics Ratio of tests/attacks not typically tested in production that do have a matching test bed: M3 / M4
Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.
Measures
Metrics