Question 393 - CISA discussion

A network vulnerability assessment is a process of identifying and evaluating the weaknesses and exposures in a network that could be exploited by attackers to compromise the confidentiality, integrity, or availability of the network or its resources. A network vulnerability assessment typically involves scanning the network devices, such as routers, switches, firewalls, servers, and workstations, using automated tools that compare the device configurations, software versions, and patch levels against a database of known vulnerabilities. A network vulnerability assessment can also include manual testing and verification of the network architecture, design, policies, and procedures.One of the main objectives of a network vulnerability assessment is to detect and report any misconfiguration and missing updates in the network devices that could pose a security risk1. Misconfiguration refers to any deviation from the recommended or best practice settings for the network devices, such as weak passwords, open ports, unnecessary services, default accounts, or incorrect permissions.Missing updates refer to any outdated or unsupported software or firmware that has not been patched with the latest security fixes or enhancements from the vendors2.Misconfiguration and missing updates are common sources of network vulnerabilities that can be exploited by attackers to gain unauthorized access, execute malicious code, cause denial of service, or escalate privileges on the network devices3. Therefore, an IS auditor should expect to see misconfiguration and missing updates in a network vulnerability assessment. The other options are less relevant or incorrect because:

B . Malicious software and spyware are not usually detected by a network vulnerability assessment, as they are more related to the content and behavior of the network traffic rather than the configuration and patch level of the network devices. Malicious software and spyware are programs that infect or monitor the network devices or their users for malicious purposes, such as stealing data, displaying ads, or performing remote commands.Malicious software and spyware can be detected by other security tools, such as antivirus software, firewalls, or intrusion detection systems4.

C . Zero-day vulnerabilities are not usually detected by a network vulnerability assessment, as they are unknown or undisclosed vulnerabilities that have not been reported or patched by the vendors or the security community. Zero-day vulnerabilities are rare and difficult to discover, as they require advanced techniques and skills to exploit them.Zero-day vulnerabilities can be detected by other security tools, such as intrusion prevention systems, anomaly detection systems, or artificial intelligence systems5.

Security design flaws are not usually detected by a network vulnerability assessment, as they are more related to the logic and functionality of the network rather than the configuration and patch level of the network devices. Security design flaws are errors or weaknesses in the network architecture, design, policies, or procedures that could compromise the security objectives of the network.Security design flaws can be detected by other security methods, such as security reviews, audits, or assessments6.Reference:Network Vulnerability Assessment - ISACA,Network Vulnerability Scanning - NIST,Network Vulnerabilities - SANS,Malware - ISACA,Zero-Day Attacks - ISACA,Security Design Principles - NIST