Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
5.5 Domain 5 · Security Program Management

Types and Purposes of Audits and Assessments

Internal vs. external audits, attestation, regulatory examinations, pen testing flavors (black/gray/white box, offensive/defensive/integrated, physical), and active vs. passive reconnaissance.

Concept
2
Textbook
3
Reference
4
Real Scenario
5
Hard Choice
6
Common Traps
7
Exam Signal
The Concept

Audits and assessments answer the question “do our controls actually work?” but they answer it with very different rigor depending on who runs them and what authority they carry. The Security+ exam separates: internal evaluation (self-assessments, internal audit, audit committee), external evaluation (regulatory examinations, independent third-party audits), and a special category of penetration testing with its own vocabulary — box colors (knowledge given to tester), team colors (offense vs. defense), and recon types (passive vs. active).

The exam loves three pairs: black/gray/white box (no info / partial info / full info given to tester), red/blue/purple team (offense / defense / collaboration), and passive/active recon (no contact / direct contact). Plus a clean distinction: pen test ≠ vulnerability scan.

Attestation. A formal statement — typically from a CPA firm — that controls operate as described. The SOC 2 report is an attestation; the report carries the auditor’s opinion. Attestations are the basis of customer trust in vendor security.

Internal audits. Performed by the organization itself:

  • Compliance audit — tests adherence to internal policies plus external regulations (HIPAA, PCI, SOX). Common focus areas: change management, access reviews, encryption, logging.
  • Audit committee — the board-level body that oversees internal audit. The audit committee charter establishes independence and reporting lines (typically up to the board, not management).
  • Self-assessment — the team evaluates its own controls. Lowest independence; highest familiarity. Useful for continuous improvement; insufficient for external assurance.

External audits. Performed by parties outside the organization:

  • Regulatory audit — required by law or regulator. Examples: FFIEC exams of banks, FDIC exams, HHS-OCR investigations under HIPAA.
  • Examinations — similar in form to audits but typically regulator-led rather than commissioned by the audited entity. The regulator decides scope and timing.
  • Assessment — a broader evaluation; may or may not result in a formal opinion. Less rigid than an audit.
  • Independent third-party audit — contracted external auditor (ISO 27001 certification body, SOC 2 CPA firm, PCI Qualified Security Assessor [QSA]).

Penetration testing — box colors (how much information is given to the tester):

  • Known environment (white box) — tester has full information: architecture diagrams, source code, credentials. Most efficient at finding deep flaws; least like a real attacker.
  • Partially known environment (gray box) — tester has some information (a low-privilege account, scope-limited targets). Balances depth and realism.
  • Unknown environment (black box) — tester has no information. Closest simulation of an external attacker; slowest because the tester has to discover everything.

Penetration testing — engagement types:

  • Offensive (red team) — simulates a real adversary, often goal-based (“get to the crown-jewel database”). Covert; not the same as a wide-scope vulnerability assessment.
  • Defensive (blue team) — the defenders, typically SOC and IR, exercising under attack conditions.
  • Integrated (purple team) — offense and defense collaborate openly, sharing tactics and detections in real time. The point is shared improvement, not a contest.
  • Physical penetration testing — lock picking, tailgating, badge cloning, dumpster diving. Tests physical security.

Reconnaissance. Information gathering before exploitation:

  • Passive recon — OSINT (open-source intelligence), DNS lookups via public resolvers, public job postings, LinkedIn, Shodan results, archived pages. No direct contact with the target.
  • Active recon — port scans, banner grabs, service probes, vulnerability scans against the target. Touches target systems — logged, possibly detected.

Pen test vs. vulnerability scan. Often confused. Vulnerability scans identify potential weaknesses but do not exploit. Pen tests actively exploit to confirm exploitability and demonstrate impact. A clean pen test report includes proof-of-exploitation, not just a CVSS list.

Rules of engagement (RoE). Before any pen test, an RoE document defines scope, off-limits systems, time windows, communication channels, and legal authorization (the “get out of jail” letter). Without RoE, the test is unauthorized access.

Audit typePerformed byIndependenceExam cue
Self-assessmentThe team itselfLowest“Team evaluates its own controls”
Internal auditInternal audit functionMedium (reports to audit committee)“Internal audit team,” “audit committee”
Independent third-partyExternal auditor (CPA, QSA)High“SOC 2,” “ISO certification,” “PCI QSA”
Regulatory examGovernment regulatorHighest authority“FFIEC,” “OCC,” “HHS-OCR”
Box colorTester knowsSimulates
White box (known)Everything — architecture, code, credentialsInsider with full visibility
Gray box (partial)Some — e.g., low-privilege accountInsider or compromised account
Black box (unknown)NothingExternal attacker with no foothold
TeamRoleGoal
RedOffense (simulate attacker)Find and exploit weaknesses
BlueDefense (SOC, IR, engineering)Detect and respond
PurpleCollaboration (red + blue)Shared tuning of detections and TTPs
Recon typeActivityDetectable?
PassiveOSINT, DNS, LinkedIn, Shodan, archived pagesNo (no contact with target)
ActivePort scans, banner grabs, service probesYes (logged on target systems)
Key Takeaway

Three reflexes for 5.5: (1) black box = least info, white box = full info; (2) red = offense, blue = defense, purple = collaboration; (3) passive = no contact, active = direct contact. And the cleanest rule: pen tests exploit, scans only identify.

The board has authorized “a pen test” after a peer ransomware story. The audit committee chair asks you to come back next week with the engagement type and scope. Time and budget are real but flexible. Leadership specifically wants to know “how long it would take a real attacker to reach our crown-jewel customer database, and what we’d see while it happened.”

Scenario
Choose the Right Pen Test
Audit committee · crown jewel = customer DB · detection capability matters
Audit Chair“Just give us the report card. How vulnerable are we?”
Security“There are several pen-test flavors with very different costs and outcomes. The board’s question — time to crown jewel and what we’d see — points at a black-box red-team engagement: external testers with no information, goal-oriented (reach the customer DB), with a parallel blue-team observation so we measure detection in real time. That is essentially a purple-team adjacent engagement — covert offense, observed defense, and a debrief that improves both.”
Audit Chair“Why not a vulnerability scan? Cheaper.”
Security“A vulnerability scan tells us what’s broken; a pen test tells us whether broken things can be chained into impact. The board asked about reach and detection. Only an exploit-driven test answers that. Vulnerability scans complement pen testing — they are not substitutes.”
Compensating Action

Match the engagement to the question. Compliance baseline → vulnerability scanning + audit. “How real is our risk?” → black-box red team. “How fast can we detect?” → purple team. “Is the new app safe before launch?” → gray-box pen test with credentials. The wrong engagement wastes money and answers the wrong question.

Real Talk — Career Context

Pen test scoping is a senior skill. Ask: what business question are we answering? Who needs the result (board, regulator, customer)? What is in scope and off limits? What are the rules of engagement (time windows, comms tree, escalation)? A great pen test report ends in actionable remediation; a bad one ends in a CVSS list nobody acts on.

On the exam: “external attacker simulation, no info” → black-box; “tester has source code” → white-box; “OSINT only, no scans” → passive recon; “port scan” → active recon; “red and blue collaborate” → purple team.

A pen tester is in the pre-engagement phase. They review the target’s LinkedIn page for employee names and tools mentioned, query public DNS for subdomains, search Google and the Wayback Machine for old documents, and look up the company on Shodan. Internal IDS logs from the target show nothing from the tester. Which type of reconnaissance is the tester conducting?

Option A
Active reconnaissance

The tester is gathering data about the target, so it must touch the target somehow.

Option B
Passive reconnaissance

All sources are public or third-party; the tester has not touched the target’s systems — nothing in the IDS confirms it.

Option B is correct — Passive reconnaissance

Option B: The defining property of passive recon is no direct contact with the target’s systems. LinkedIn, public DNS resolvers, search engines, archived pages, and Shodan (which scans on its own and lets you query its results) all live on third-party infrastructure. The clincher is in the question: the target’s IDS shows nothing.

Option A’s trap: “gathering data about the target” sounds like activity directed at the target. But active recon is defined by the direction of network traffic — tester sends packets to the target. Reading public records is information collection, not active probing.

On the exam: passive = OSINT + Shodan + DNS + LinkedIn + archived pages. Active = port scans + banner grabs + service probes + vulnerability scans. The IDS-logging cue is decisive.

Box colors flipped
Black box = no info (closest to external attacker). White box = full info. Gray box = partial. The exam often shows “tester has source code” and offers black box as the trap.
Why it is tempting: black sounds like “blind,” and white sounds like “blank.” Memorize: black knows nothing.
Pen test confused with vulnerability scan
Pen tests actively exploit to confirm impact. Vulnerability scans only identify potential issues. The exam asks “which proves exploitability?” (pen test) or “which gives a CVSS-scored list of weaknesses?” (vuln scan).
Why it is tempting: both produce findings. Exploitation is the dividing line.
Passive recon assumed to touch target
Passive recon makes no direct contact with the target. If the question shows the target’s IDS detecting probes, it is active recon. Passive uses third-party data sources (OSINT, DNS, LinkedIn, Shodan).
Why it is tempting: “research” sounds active in plain English. In pentest vocabulary, passive means no traffic to the target.
Self-assessment treated as independent
A team evaluating its own controls is the least independent form of assessment. Customers and regulators usually require independent third-party assurance (SOC 2, ISO 27001).
Why it is tempting: “we did the assessment” sounds equivalent to a real audit. Independence matters.
Purple team confused with red+blue
A red team plus a blue team running independently is not a purple team. Purple team is collaborative — offense and defense work together openly, sharing TTPs and detections in real time, for the explicit purpose of mutual improvement.
Why it is tempting: “purple = red + blue” makes it sound like just running both. The collaboration model is the point.
Audit confused with assessment
An audit typically results in a formal opinion against defined criteria. An assessment is broader and may not produce a formal opinion. Regulator-led versions are often called examinations.
Why it is tempting: terms used loosely in conversation. Exam uses them precisely.
Exam Signal

5.5 patterns: (1) information given to tester → box color; (2) role → team color (offense/defense/collaboration); (3) contact with target → recon type; (4) independence level → audit type. And remember: pen test exploits, scan identifies; SOC 2 = attestation, not certification.

Quick Check — 5.5 Q1
A pen testing firm is hired with no information about the target other than the company name. They are tasked with simulating an external adversary attempting to reach the customer database. Which engagement type BEST describes this?
  • A White-box assessment
  • B Gray-box assessment
  • C Black-box (unknown environment) penetration test
  • D Vulnerability scan

Correct: C. “No information about the target” defines black-box (unknown environment). The simulated external adversary framing confirms penetration testing rather than scanning.

A wrong: White-box would supply architecture, source code, credentials.

B wrong: Gray-box would supply partial information.

D wrong: Vulnerability scans identify but do not exploit; they cannot answer “can the attacker reach the database?”

Source: CompTIA SY0-701 Objectives v5.0 — 5.5 Audits and assessments

Quick Check — 5.5 Q2
A security analyst harvests employee names from LinkedIn, queries public DNS for subdomain enumeration, and pulls archived versions of the target’s public pages from the Wayback Machine. The target’s IDS logs show no unusual activity from the analyst. Which activity BEST describes this?
  • A Passive reconnaissance
  • B Active reconnaissance
  • C Vulnerability scanning
  • D Penetration testing

Correct: A. Passive reconnaissance uses third-party and public sources without direct contact with the target. The IDS logs show nothing — the decisive cue.

B wrong: Active recon would generate detectable traffic to the target (port scans, banner grabs).

C wrong: Vulnerability scanning is active and would log against the target.

D wrong: Penetration testing involves exploitation, not just public data gathering.

Source: CompTIA SY0-701 Objectives v5.0 — 5.5

Quick Check — 5.5 Q3
A security program wants to improve its detection capabilities by having attackers and defenders work together openly during an exercise, sharing tactics, techniques, and detections in real time so the SOC can tune its alerts. Which engagement type BEST describes this?
  • A Red team only
  • B Blue team only
  • C Purple team (integrated)
  • D White-box pen test

Correct: C. Purple team is the collaborative engagement where red (offense) and blue (defense) work together openly to improve detection and response.

A wrong: Red team only is offense without active collaboration.

B wrong: Blue team only is defense without an active adversary in the same exercise.

D wrong: White-box describes information given to the tester, not team configuration.

Source: CompTIA SY0-701 Objectives v5.0 — 5.5

Related Topics
→ 5.3 Third-Party Risk→ 5.4 Compliance→ 5.6 Security Awareness
← 5.4 Compliance ← All Objectives Next: 5.6 Security Awareness →
Disclaimer: This content is provided for educational and exam preparation purposes only. It is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on the published CompTIA SY0-701 Exam Objectives (v5.0). Always refer to the official CompTIA Security+ Exam Objectives as your primary reference.