Audits, Assessments & Penetration Testing
58 cards · 4 sections
Internal Audits and Assessments (OBJ 5.5)
Internal Audit
A systematic evaluation conducted by an organization's own audit team to assess the effectiveness of internal controls, regulatory compliance, and the integrity of information systems and processes.
Internal Assessment
An in-depth analysis conducted to identify and evaluate potential risks and vulnerabilities in an organization's information systems; typically performed before implementing new systems or making significant changes to existing ones.
Self-Assessment
An internal evaluation conducted by an organization to assess its own compliance with specific standards or regulations; uses structured yes/no checklists to identify compliance gaps and prepare for formal audits.
Audit Committee
A group of individuals — typically board-level members — who oversee an organization's audit and compliance activities; responsibilities include reviewing financial reporting, overseeing internal and external audits, and ensuring regulatory compliance.
Compliance (Audit Context)
Ensuring that an organization's information systems and security practices adhere to established standards, regulations, and laws; may mandate periodic internal audits at defined intervals.
Internal Audit vs. Internal Assessment — Primary Distinction
Internal audits evaluate the effectiveness of internal controls and verify compliance with regulations and policies. Internal assessments identify and evaluate potential risks and vulnerabilities to determine what needs to be addressed before changes or new system deployments.
Internal Audit Focus Areas
- Data protection policies and their implementation
- Network security configurations and controls
- Access controls — verifying least privilege, segregation of duties, and timely access revocation
- Incident response procedures and their effectiveness
Self-Assessment Structure
- Yes/no questions covering security domains
- Comments and action items identifying gaps
- Assigned ownership — each action item assigned to a specific individual or group
- Cross-departmental participation — IT, security, and administration must all contribute
Audit vs. Assessment — Scenario Mapping
Scenario: 'organization evaluates whether access controls comply with regulations' → Answer: Internal audit. Scenario: 'organization identifies vulnerabilities before deploying a new web application' → Answer: Internal assessment. Audits verify compliance; assessments identify risk.
Audit Committee — Oversight Role
Scenario: 'exam asks who oversees internal and external audit activities at the board level' → Answer: Audit committee. Distinct from the internal audit team that actually conducts the audits.
Compliance-Mandated Internal Audits
Internal audits may be legally required — not optional. Frequency is determined by industry compliance requirements (quarterly or annual). Failure to conduct required audits is itself a compliance violation.
External Audits and Assessments (OBJ 5.5)
External Audit
A systematic evaluation of an organization's information systems, applications, and security controls conducted by an independent third-party entity; provides an objective, unbiased view of the organization's true security posture.
External Assessment
A detailed analysis conducted by an independent entity using automated scanning tools and manual testing to identify vulnerabilities and risks; types include risk assessments, vulnerability assessments, and threat assessments.
Regulatory Compliance
An organization's adherence to laws and regulations governing the management of IT systems and data; achieved through implementing specific security controls, maintaining policies, and undergoing regular audits and assessments.
Examination (External)
A detailed external inspection of an organization's security infrastructure that also tests key personnel through knowledge-based exams and verifies current certifications; common in highly regulated industries such as nuclear power and financial services every 1–5 years.
Independent Third-Party Audit
An audit conducted by an entity with no organizational relationship to the auditee; provides unbiased validation of security posture and compliance; explicitly required by GDPR and PCI-DSS.
HITECH Act
Health Information Technology for Economic and Clinical Health Act; US legislation promoting adoption of electronic health records; governs breach notification processes and risk assessment documentation requirements for healthcare organizations.
External Audit vs. Internal Audit — Primary Distinction
External audits are conducted by independent third parties and provide an unbiased, objective perspective on security posture. Internal audits are conducted by the organization's own team. Many regulations require external audits specifically because of this objectivity requirement.
HIPAA External Assessment Structure
- Administrative Safeguards — risk assessment documentation, risk management policy, organizational charts
- Physical Safeguards — physical security policies, data destruction procedures, role-based access logs
- Technical Safeguards — encryption policies, IT access monitoring controls, user access listings for PHI systems
- HITECH provisions — breach notification processes, entity-level risk assessment capabilities
Regulatory Frameworks Requiring External Audits
- GDPR — General Data Protection Regulation; EU data privacy; requires independent third-party audits
- HIPAA — Health Insurance Portability and Accountability Act; US health data; requires external assessments
- PCI-DSS — Payment Card Industry Data Security Standard; requires periodic independent third-party audits
- SOX — Sarbanes-Oxley Act; financial controls; requires external financial auditing
When External Audit Is Required
Scenario: 'organization needs an objective, unbiased view of its security posture' → Answer: External audit or independent third-party audit. Internal audits cannot provide the objectivity required by regulatory bodies.
Regulations Mandating Independent Third-Party Audits
Scenario: 'which regulations explicitly require independent third-party audits' → Answer: GDPR and PCI-DSS explicitly require them. HIPAA requires external assessment; SOX requires external financial auditing. PCI-DSS is the most frequently tested in pentest/audit contexts.
Examination vs. Assessment — Primary Distinction
An examination extends beyond a standard assessment by also testing key personnel through knowledge-based exams and verifying certifications are current. Examinations occur in critical infrastructure sectors; most security professionals will encounter assessments, not examinations.
Penetration Testing (OBJ 5.5)
Penetration Testing (Pentest / Ethical Hacking)
An authorized simulated cyber attack against computer systems, networks, or applications to identify exploitable vulnerabilities before real attackers can; involves assessing systems for weaknesses using attacker techniques.
Physical Penetration Testing
Testing the physical security of an organization by attempting to bypass locks, access cards, cameras, and access control vestibules; identifies physical vulnerabilities such as tailgating and badge cloning risks.
Offensive Penetration Testing (Red Teaming)
Proactive testing that actively seeks and exploits vulnerabilities using real attacker techniques; aims to uncover the maximum number of vulnerabilities to demonstrate real-world attack impact.
Defensive Penetration Testing (Blue Teaming)
Reactive security testing focused on strengthening systems, detecting attacks, and improving incident response capabilities; evaluates an organization's ability to detect and respond to active threats.
Integrated Penetration Testing (Purple Teaming)
Combines Red Team (offensive) and Blue Team (defensive) working together in a single engagement; red team attacks while blue team detects and responds; both teams share findings to improve overall security posture.
Active Reconnaissance
Gathering target information by directly engaging with the target system — port scanning, pinging, or attempting connections; yields more information but carries a higher risk of detection by defenders.
Passive Reconnaissance
Gathering target information without directly engaging the system — using OSINT, WHOIS lookups, public databases, or observing network traffic; lower detection risk but yields less detail.
Known Environment (White Box) Test
Pentest where testers receive full infrastructure details before the engagement (network diagrams, IP ranges, OS versions, credentials); simulates an insider threat scenario; minimal reconnaissance needed.
Partially Known Environment (Gray Box) Test
Hybrid pentest where testers receive limited target information; simulates an attacker who has obtained partial insider knowledge; reconnaissance is used to fill knowledge gaps.
Unknown Environment (Black Box) Test
Pentest where testers receive minimal to no prior information about the target; simulates a real-world external attacker; extensive reconnaissance required to discover assets, services, and entry points.
Metasploit
A multipurpose penetration testing framework containing exploits, auxiliaries, posts, payloads, encoders, nops, and evasion modules; the primary framework used by penetration testers; pre-installed on Kali Linux and Parrot Linux.
Nmap
A network scanning tool used for host discovery, port scanning, and service version detection; used during active reconnaissance to identify open ports and services running on target systems.
Penetration Testing Team Color Framework
- Red Team — offensive penetration testing; actively attacks and exploits vulnerabilities using attacker techniques
- Blue Team — defensive penetration testing; detects attacks, responds, and strengthens defenses
- Purple Team — integrated testing; red and blue teams working together; cross-team knowledge sharing to improve both attack and defense capabilities
Metasploit Module Types
- Exploits — code that delivers a payload to attack a specific vulnerability
- Auxiliaries — scanners, sniffers, fuzzers, and spoofers; non-exploit support modules
- Post — post-exploitation tasks on compromised hosts (persistence, lateral movement, data exfiltration)
- Payloads — code executed after a successful exploit; provides access or elevated permissions (e.g., reverse shell)
- Encoders — encode payloads to bypass IDS, firewalls, and ACLs
- Nops — non-operation padding that keeps payload sizes consistent across exploit attempts
- Evasion — techniques to bypass security defenses
Active vs. Passive Reconnaissance — Detection Trade-Off
Active reconnaissance directly engages the target and yields more detailed information but risks detection by defenders. Passive reconnaissance collects data without touching the target and has minimal detection risk but provides less detail.
Environment Type vs. Reconnaissance Requirement
- Known (white box) — full info provided; minimal reconnaissance needed; tests depth of exploitation of known assets
- Partially known (gray box) — limited info; reconnaissance fills gaps; simulates attacker with partial insider knowledge
- Unknown (black box) — no info; extensive reconnaissance required; simulates real external attacker
Team Color Mapping — Primary Answer
Red Team = offensive (attacks). Blue Team = defensive (detects and responds). Purple Team = integrated (both working together). Scenario: 'team that actively exploits vulnerabilities' → Red Team. Scenario: 'team focused on detection and response' → Blue Team.
Passive Reconnaissance — Low Detection Risk
Scenario: 'penetration tester must gather information with minimal chance of alerting defenders' → Answer: Passive reconnaissance (OSINT, WHOIS, public databases). Active reconnaissance such as Nmap port scanning generates detectable network traffic.
Environment Type — Insider Threat Simulation
Scenario: 'which pentest environment simulates an insider threat' → Answer: Known environment (white box). The tester has full infrastructure details just as an insider would. Unknown (black box) simulates an external attacker with no prior knowledge.
Metasploit Tool Recognition
Nmap is used for port scanning and service detection during active reconnaissance. Metasploit is used for exploitation (using exploits and payloads) and post-exploitation. EternalBlue (MS17-010) is the SMB vulnerability exploited by WannaCry ransomware (2017); commonly used to demonstrate real-world exploit impact.
Metasploit Options — RHOST and LHOST
RHOST = remote host (target IP address). RPORT = remote port (target service port). LHOST = local host (attacker's listening address). LPORT = local port (attacker's listening port). Know these Metasploit option names for scenario questions.
Attestation of Findings (OBJ 5.5)
Attestation
A formal validation or confirmation provided by an entity asserting the accuracy and authenticity of specific information; strengthens trust, transparency, and accountability in both internal and external audit contexts.
Attestation of Findings
A formal written declaration confirming that a penetration test occurred and that its findings are valid based on presented evidence; required when pentests are conducted for regulatory compliance (GLBA, HIPAA, SOX, PCI-DSS).
Letter of Attestation
A formal document issued by a penetration testing firm proving a security assessment was completed; includes a summary of findings and confirmation of the testing period; submitted to third parties as regulatory compliance evidence.
Software Attestation
Validation of software integrity using cryptographic techniques; verifies that a software update or application has not been tampered with since it was signed by the vendor (digital signature verification).
Hardware Attestation
Validation of hardware integrity using a Trusted Platform Module (TPM); the TPM stores measurements of hardware and firmware configurations, which are checked at boot time to detect unauthorized modification.
System Attestation
Validation that a system or service meets defined security standards; typically provided by cloud service providers as certification of compliance with standards such as ISO 27001 or SOC 2.
TPM (Trusted Platform Module)
A hardware security chip that stores measurements of a computer's hardware and firmware configurations; used for hardware attestation by comparing stored measurements against current system state at each boot.
Attestation of Findings vs. Penetration Test Report
- Pentest report — documents findings and remediation recommendations; delivered to the organization; describes what was found and how to fix it
- Attestation of findings — includes evidence proving the test actually occurred (logs, screenshots, exploit demonstrations); used to prove compliance to regulatory third parties
- Evidence shown during attestation may not be retained by the organization
When Attestation Is Required
Attestation is required when a pentest is conducted for regulatory compliance — GLBA, HIPAA, SOX, or PCI-DSS. An internal pentest conducted solely for organizational knowledge does not require formal attestation.
Three Types of Technical Attestation
- Software attestation — cryptographic digital signature verification; confirms software has not been tampered with since signing
- Hardware attestation — TPM boot measurement verification; confirms hardware and firmware integrity at startup
- System attestation — compliance certification from cloud/service provider; confirms system meets standards (ISO 27001, SOC 2)
Attestation vs. Pentest Report — Primary Distinction
Scenario: 'what document proves a penetration test occurred and includes evidence for regulatory submission' → Answer: Attestation of findings (letter of attestation). A pentest report documents findings and remediation; it does not prove the test occurred to a third party.
Compliance-Driven Pentest Requires Attestation
Scenario: 'organization conducting a pentest to satisfy PCI-DSS requirements' → Answer: Requires a letter of attestation. Regulations requiring attestation include GLBA, HIPAA, SOX, and PCI-DSS.
TPM — Hardware Attestation Use Case
Scenario: 'which hardware component verifies a system has not been tampered with at boot time' → Answer: TPM (Trusted Platform Module) performing hardware attestation. TPM stores expected measurements and compares them at each boot.
Three Attestation Types — Quick Reference
Software attestation = digital signature verification. Hardware attestation = TPM boot measurement. System attestation = compliance certification (ISO 27001, SOC 2). Know which mechanism corresponds to each type for scenario questions.