Effective CISSP Questions

You are conducting a vulnerability assessment against your company’s official web site. Which of the following should be scanned first?
A. Known weaknesses in the CWE List
B. Known vulnerabilities in the CVE List
C. Undiscovered or unknown vulnerabilities
D. The attack surface determined after the threat modeling

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Known vulnerabilities in the CVE List.

Image credit: Bitsorbit

The CVE List refers to identified vulnerabilities within a specific product or system. They are more important and urgent than undiscovered or unknown vulnerabilities. Important and urgent tasks should be conducted first.

The CWE List is typically used in software or hardware development, or before it’s authorized to operate.

Threat modeling is a “systematic exploration technique to expose vulnerabilities. It is typically conducted in the design or implementation phase of the SDLC.

Important vs Urgent Matrix
Image credit: Elodie DESTRUEL

 Common Vulnerabilities and Exposures

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland Security. The system was officially launched for the public in September 1999.

The Security Content Automation Protocol uses CVE, and CVE IDs are listed on MITRE’s system as well as in the US National Vulnerability Database.

CVEs are for software that has been publicly released; this can include betas and other pre-release versions if they are widely used. Commercial software is included in the “publicly released” category, however custom-built software that is not distributed would generally not be given a CVE.

Metasploit Exploiting CVE-2012-1823

Common Weakness Enumeration

Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weakness types that have security ramifications. “Weaknesses” are flaws, faults, bugs, vulnerabilities, or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks, or hardware being vulnerable to attack. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs.

Targeted at both the development and security practitioner communities, the main goal of CWE is to stop vulnerabilities at the source by educating software and hardware, architects, designers, programmers, and acquires on how to eliminate the most common mistakes before software and hardware are delivered. Ultimately, use of CWE helps prevent the kinds of security vulnerabilities that have plagued the software and hardware industries and put enterprises at risk.


Threat Modeling

In systems and software engineering, threat modeling is a “systematic exploration technique to expose any circumstance or event having the potential to cause harm to a system in the form of destruction, disclosure, modification of data, or denial of service.” (ISO 24765:2017)

Attack Vector

In threat modeling, a threat scenario can be expressed as an attack vector, which is “a segment of the entire pathway that an attack uses to access a vulnerability.” (NIST SP 800-154)

Attack Vector

Attack Surface

Attack surfaces of information systems are “exposed areas that make those systems more vulnerable to cyber attacks.” (NIST SP 800-53 R4)
The exposed areas are accessible areas, typically the interfacing points of input and output, where weaknesses or deficiencies in information systems that provide opportunities for adversaries to exploit ขulnerabilities.
In short, the attack surface is the sum of the identified attack vectors.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您正在針對公司的官方網站進行漏洞評估。 應該先掃描以下哪項?
A. CWE列表中的已知弱點 (weakness)
B. CVE列表中的已知漏洞 (vulnerability)
C. 未發現或未知的漏洞
D. 威脅建模後確定的攻擊面(attack surface)


Leave a Reply