Vulnerability Assessment Analyst

Performs assessments of systems and networks within the NE or enclave and identifies where those systems/networks deviate from acceptable configurations, enclave policy, or local policy. Measures effectiveness of defense-in-depth architecture against known vulnerabilities.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T411A additional Analyze organization's cybersecurity policies and configurations and evaluate compliance with regulations and organizational directives.
• T448 additional Conduct and/or support authorized penetration testing on enterprise network assets.
• T685A additional Maintain deployable cybersecurity audit toolkit (e.g., specialized cyber defense software and hardware) to support cybersecurity audit missions.
• T692 additional Maintain knowledge of applicable cyber defense policies, regulations, and compliance documents specifically related to cyber defense auditing.
• T784 additional Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions.
• T939 additional Conduct required reviews as appropriate within environment (e.g., Technical Surveillance, Countermeasure Reviews [TSCM], TEMPEST countermeasure reviews).
• T940B additional Perform technical (evaluation of technology) and non-technical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., local computing environment, network and infrastructure, control system and operational environments, enclave boundary, supporting infrastructure, and applications).
• T941A additional Make recommendations regarding the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems and processes).

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0010 knowledge core Knowledge of application vulnerabilities.
• K0092 knowledge core Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
• K0105 knowledge core Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0150 knowledge core Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.
• K095B knowledge core Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).
• K1072 knowledge core Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• S10A skill core Skill in conducting application vulnerability assessments.
• S225A skill core Skill in the use of penetration testing tools and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).
• S3B skill core Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.
• S922B skill core Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities.
• A102A ability additional Ability to apply programming language structures (e.g., source code review) and logic.
• A4 ability additional Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
• A6918 ability additional Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.
• K0027 knowledge additional Knowledge of cryptography and cryptographic key management concepts.
• K0029 knowledge additional Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.
• K0049 knowledge additional Knowledge of host/network access control mechanisms (e.g., access control list).
• K0063 knowledge additional Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K0079 knowledge additional Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
• K0102 knowledge additional Knowledge of programming language structures and logic.
• K0128 knowledge additional Knowledge of systems diagnostic tools and fault identification techniques.
• K081A knowledge additional Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• K0904 knowledge additional Knowledge of interpreted and compiled computer languages.
• K0991 knowledge additional Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).
• K1021A knowledge additional Knowledge of threat and risk assessment.
• K1033 knowledge additional Knowledge of basic system administration, network, and operating system hardening techniques.
• K1038A knowledge additional Knowledge of infrastructure supporting information technology (IT) for safety, performance, and reliability.
• K1069 knowledge additional Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining access, escalation or privileges, maintaining access, network exploitation, covering tracks).
• K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
• K1142 knowledge additional Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
• K214B knowledge additional Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
• K3150 knowledge additional Knowledge of ethical hacking principles and techniques.
• K3222 knowledge additional Knowledge of data backup and restoration concepts.
• K3513 knowledge additional Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.
• K6210 knowledge additional Knowledge of cloud service models and possible limitations for an incident response.
• K992B knowledge additional Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).
• K992C knowledge additional Knowledge of threat environments (e.g., threat actors, threat activities).
• S160 skill additional Skill in assessing the robustness of security systems and designs.
• S181A skill additional Skill in detecting host and network based intrusions via intrusion detection technologies.
• S210 skill additional Skill in mimicking threat behaviors.
• S226 skill additional Skill in the use of social engineering techniques.
• S27B skill additional Skill in assessing the application of cryptographic standards.
• S6660 skill additional Skill in reviewing logs to identify evidence of past intrusions.
• S897A skill additional Skill in performing impact/risk assessments.

EWU courses that develop this role

Skill drills that practice this role

Exam questions from CSCD 240. Click any to work it.

• CSCD240-E1-A-Q41 primary setuid Explain the setuid bit in 1-2 sentences using the term "effective user ID".
• CSCD240-E1-B-Q23 primary grep-recursive Recursively search /etc for any file containing "password=" and print only filenames.
• CSCD240-E1-C-Q46 primary malicious-alias .bashrc contains alias ls='rm -rf'. Consequence if planted and user opens a new shell?
• CSCD240-E1-C-Q47 primary ssh-perms -rw------- on .ssh and drwx------ on .config — which is typical for an SSH private key and why?
• CSCD240-E1-C-Q41 secondary threat-reasoning -rwsrwxrwx root root .xhelper in /tmp. Why alarming?

Other roles in this element