CISSP Flashcards: Security Assessment, Penetration Testing, Vulnerability Management

A vulnerability assessment identifies, quantifies, and prioritizes security weaknesses in systems and networks using automated scanning tools. It produces a comprehensive list of vulnerabilities with severity ratings but does not attempt to exploit them. A penetration test goes further by actively exploiting discovered vulnerabilities to determine what an attacker could actually achieve, including lateral movement and data exfiltration. Vulnerability assessments are broader in scope and conducted more frequently, while penetration tests are deeper, more targeted, and conducted less often.

Penetration tests are classified by the tester's knowledge level. Black box testing means the tester has no prior knowledge of the target systems, simulating an external attacker. White box testing gives the tester full knowledge of the architecture, source code, and configurations, enabling thorough testing of internal controls. Gray box testing provides partial knowledge, simulating an insider or an attacker who has gained initial access. Tests are also categorized by target: network, application, wireless, social engineering, and physical.

A security audit is a formal, systematic evaluation of an organization's security posture against a specific standard, regulation, or set of criteria, conducted by independent auditors who produce a pass or fail determination. Examples include SOC 2 audits, ISO 27001 certification audits, and PCI DSS assessments. A security assessment is a broader, more flexible evaluation that identifies risks and recommends improvements without necessarily measuring against a fixed standard. Audits are typically required by regulators or customers and result in certification or attestation.

SOC reports are attestation reports produced by independent auditors under the AICPA framework. SOC 1 evaluates controls relevant to financial reporting, used when a service organization affects a client's financial statements. SOC 2 evaluates controls related to security, availability, processing integrity, confidentiality, and privacy, and is the standard report requested by enterprise customers evaluating cloud providers. SOC 3 contains the same information as SOC 2 but in a general-use summary format suitable for public distribution. Type I reports assess controls at a point in time.

The Common Vulnerability Scoring System, or CVSS, is an open framework for rating the severity of software vulnerabilities on a scale from 0.0 to 10.0. Scores are categorized as none at 0.0, low from 0.1 to 3.9, medium from 4.0 to 6.9, high from 7.0 to 8.9, and critical from 9.0 to 10.0. CVSS considers base metrics like attack vector and complexity, temporal metrics like exploit availability and patch status, and environmental metrics reflecting the specific organization's context. CVSS scores help prioritize remediation efforts, with critical and high vulnerabilities addressed first.

Continuous monitoring is the ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. NIST SP 800-137 defines it as maintaining situational awareness through automated tools that continuously assess security controls, collect security data, and report on the security posture. This replaces the outdated approach of point-in-time assessments that quickly become stale. ---