WOLF//SEC
← Domain 5
OBJECTIVE 5.5 Explain

Explain types and purposes of audits and assessments

Audits and assessments verify that security controls are implemented, effective, and aligned with requirements. They’re how you prove your security posture — to yourself, to regulators, and to business partners.

Assessment Types

Vulnerability Assessment

Identifies known vulnerabilities in systems and applications.

  • Automated scanning tools (Nessus, Qualys, OpenVAS)
  • Produces a list of vulnerabilities with CVSS severity scores
  • Does not exploit vulnerabilities — identifies them only
  • Regular cadence: quarterly at minimum, continuous for critical systems

Penetration Testing

Authorized attempt to exploit vulnerabilities to demonstrate real-world impact.

  • Goes beyond vulnerability scanning — actually attempts to compromise systems
  • Demonstrates what an attacker could achieve, not just what’s theoretically vulnerable

Types:

  • Black box: Tester has no prior knowledge of the target. Simulates external attacker.
  • White box: Tester has full knowledge (source code, network diagrams, credentials). Most thorough.
  • Gray box: Tester has partial knowledge. Simulates insider or attacker with some reconnaissance.

Methodology:

  • Rules of engagement: Scope, timing, authorized targets, escalation procedures, emergency contacts
  • Reconnaissance → Scanning → Exploitation → Post-exploitation → Reporting
  • Written authorization (get-out-of-jail letter) required before any testing

Threat Assessment

Evaluates potential threats specific to the organization.

  • Which threat actors are most likely to target you?
  • What are their capabilities and motivations?
  • What attack vectors would they use?

Physical Security Assessment

Evaluates physical controls: locks, cameras, access control, perimeter security.

  • May include physical penetration testing (tailgating, social engineering for physical access)

Audit Types

Internal Audit

Conducted by the organization’s own audit team.

  • Regular self-assessment of control effectiveness
  • Tests compliance with internal policies and external requirements
  • Identifies gaps before external auditors find them
  • Independence matters: Internal auditors should report to leadership independent of the teams being audited

External Audit

Conducted by independent third-party auditors.

  • Required for many compliance standards (SOC 2, PCI-DSS, ISO 27001)
  • Greater credibility because of independence
  • Results may be shared with regulators, customers, or business partners

Regulatory Audit

Conducted by or on behalf of a regulatory body.

  • HIPAA audits by HHS Office for Civil Rights
  • PCI-DSS assessments by Qualified Security Assessors (QSA)
  • Non-voluntary — regulators can mandate these

Assessment Frameworks

NIST SP 800-53

Comprehensive catalog of security controls for federal systems.

  • Controls organized by family (Access Control, Audit, Incident Response, etc.)
  • Risk-based selection — choose controls based on system categorization (low/moderate/high impact)

CIS Benchmarks

Prescriptive configuration guidelines for specific technologies.

  • Benchmark for Windows Server, Linux, AWS, Azure, Kubernetes, etc.
  • Two levels: Level 1 (practical, minimal impact) and Level 2 (defense-in-depth, may affect functionality)

SCAP (Security Content Automation Protocol)

Set of standards for automated vulnerability management and compliance checking.

  • XCCDF: Language for defining security checklists
  • OVAL: Language for describing system configuration states
  • CVE: Common Vulnerabilities and Exposures — standard naming for vulnerabilities
  • CVSS: Common Vulnerability Scoring System — standard severity rating (0-10)
  • CPE: Common Platform Enumeration — standard naming for products

Security Ratings

Third-party services that continuously assess an organization’s external security posture.

  • BitSight, SecurityScorecard — score organizations based on observable external data
  • Used for vendor risk assessment, board reporting, benchmarking
  • Limitation: Only sees what’s externally visible. A high score doesn’t mean internal security is strong.

Audit Evidence

Types of Evidence

  • Documentary: Policies, procedures, configuration files, architecture diagrams
  • Technical: Scan results, log files, system configurations, firewall rules
  • Testimonial: Interviews with personnel about processes and practices
  • Observational: Auditor directly observes processes being performed

Attestation

Formal statement by an authorized party that controls are in place and operating.

  • SOC 2 attestation: auditor attests that controls meet Trust Services Criteria
  • Self-attestation: organization certifies its own compliance (less credible)

Offensive Context

Penetration testing is offense in service of defense — the only sanctioned way to prove that your defenses actually work. Vulnerability scans find what’s theoretically exploitable; pen tests prove what’s practically exploitable. The gap between the two is where real risk lives. A CVSS 10.0 vulnerability that requires local access on a fully segmented, air-gapped system is lower practical risk than a CVSS 7.0 on your internet-facing VPN. Assessments that account for exploitability and context are more valuable than ones that sort by CVSS score alone.