Security baseline scanning

2.1 Given a scenario, implement vulnerability scanning methods and concepts.

📘CompTIA CySA+ (CS0-003)

1. What is Security Baseline Scanning?

Security baseline scanning is the process of checking systems to make sure they follow an approved and secure configuration standard (called a baseline).

A security baseline is a documented set of minimum security settings that every system must follow. These settings define how systems should be configured to reduce security risks.

In simple words:

  • A baseline = the secure starting configuration
  • Baseline scanning = checking systems to make sure they follow that secure starting configuration

This is different from vulnerability scanning, which looks for missing patches or known software weaknesses. Baseline scanning focuses on secure configuration settings.

2. What is a Security Baseline?

A security baseline is a standardized configuration that all similar systems must follow.

For example, a baseline for a Windows server may include:

  • Password length must be at least 12 characters
  • Account lockout after 5 failed login attempts
  • Firewall must be enabled
  • Remote desktop disabled unless required
  • Unnecessary services disabled
  • Logging enabled
  • Secure protocols only (e.g., disable old SSL/TLS versions)

A baseline ensures that:

  • All systems are configured consistently
  • Security best practices are applied
  • Misconfigurations are reduced
  • Compliance requirements are met

3. Why Security Baseline Scanning Is Important

For the CySA+ exam, understand that baseline scanning helps with:

1. Configuration Management

Ensures systems remain in their approved configuration state.

2. Compliance

Many standards require secure configuration monitoring, such as:

  • National Institute of Standards and Technology (NIST)
  • Center for Internet Security (CIS)
  • International Organization for Standardization (ISO)

These organizations publish configuration guidelines.

3. Detecting Configuration Drift

Configuration drift happens when systems slowly change from their approved baseline over time.

Examples:

  • An admin enables a service temporarily and forgets to disable it
  • A security setting is changed during troubleshooting
  • A patch modifies a configuration setting

Baseline scanning detects these changes.

4. Reducing Attack Surface

Insecure configurations create vulnerabilities. Baseline scanning helps prevent:

  • Weak authentication settings
  • Open ports
  • Unnecessary services
  • Insecure protocols

4. What Does Baseline Scanning Check?

Baseline scanning checks for configuration compliance, including:

1. Operating System Settings

  • Password policies
  • User rights assignments
  • Audit policies
  • Security options
  • Service configurations

2. Application Configurations

  • Web server settings
  • Database security settings
  • Secure file permissions
  • Encryption configuration

3. Network Device Configurations

  • Router and firewall rules
  • SNMP configuration
  • Disabled default accounts
  • Secure management protocols

4. Cloud Configurations

  • Storage bucket permissions
  • IAM roles and permissions
  • Encryption settings
  • Logging enabled

5. Baseline vs Vulnerability Scanning (Exam Comparison)

FeatureBaseline ScanningVulnerability Scanning
FocusConfiguration complianceKnown software flaws
Looks forMisconfigurationsMissing patches, CVEs
ExampleWeak password policyUnpatched web server vulnerability
GoalEnforce secure configurationIdentify exploitable weaknesses

For the exam, know that:

  • Baseline scanning = configuration compliance
  • Vulnerability scanning = security weaknesses

6. Common Baseline Standards

Organizations use established standards when creating baselines.

1. CIS Benchmarks

Created by Center for Internet Security.

These are detailed configuration guidelines for:

  • Windows
  • Linux
  • Cloud platforms
  • Databases
  • Network devices

CIS Benchmarks are widely used in enterprises.

2. NIST Guidelines

Provided by National Institute of Standards and Technology.

Important documents include:

  • NIST SP 800-53
  • NIST SP 800-128 (Configuration Management)

These define secure configuration and monitoring practices.

3. DISA STIGs

Security Technical Implementation Guides from the U.S. Department of Defense.

They define strict configuration requirements.

7. Types of Baseline Scanning

1. Manual Baseline Review

  • Security team checks configuration settings manually.
  • Time-consuming and not scalable.

2. Automated Baseline Scanning

Most organizations use automated tools.

These tools:

  • Compare system configuration to a baseline template
  • Generate compliance reports
  • Show pass/fail results
  • Highlight misconfigurations

Automation is important for large environments.

8. How Baseline Scanning Works

Step-by-step process:

  1. Define a secure baseline (based on CIS, NIST, internal policy).
  2. Configure scanning tool with baseline template.
  3. Scan systems.
  4. Compare current configuration to approved baseline.
  5. Identify deviations.
  6. Generate compliance report.
  7. Remediate issues.
  8. Rescan to verify fixes.

9. Continuous Monitoring

Security baseline scanning is not a one-time activity.

It should be:

  • Scheduled regularly (daily, weekly, monthly)
  • Triggered after major changes
  • Integrated into patch management
  • Included in change management processes

Continuous monitoring prevents configuration drift.

10. Configuration Drift (Very Important for Exam)

Configuration drift occurs when:

  • Systems slowly move away from approved baseline
  • Unauthorized or undocumented changes occur
  • Settings are modified without approval

Baseline scanning detects this by comparing:

Current state vs Approved baseline

Drift increases risk and compliance violations.

11. Reporting and Remediation

Baseline scanning tools generate:

  • Compliance percentage
  • Failed checks
  • Severity levels
  • Recommended fixes

Remediation can include:

  • Changing configuration manually
  • Using scripts to correct settings
  • Using configuration management tools
  • Rolling back to a known good configuration

12. Integration with Other Security Processes

Baseline scanning supports:

1. Change Management

Ensures changes do not break security standards.

2. Patch Management

Confirms patches do not alter secure configurations.

3. Risk Management

Misconfigurations are security risks.

4. Incident Response

Helps determine if an incident was caused by configuration changes.

13. Agent-Based vs Agentless Baseline Scanning

Baseline scanning can use:

Agent-Based

  • Software installed on endpoint
  • Deep configuration visibility
  • Better for internal systems

Agentless

  • Uses network credentials
  • Connects remotely to check settings
  • Easier to deploy but may have limited visibility

Know this difference for scenario questions.

14. Advantages of Baseline Scanning

  • Enforces standardization
  • Detects misconfigurations
  • Improves compliance
  • Reduces attack surface
  • Identifies unauthorized changes
  • Supports audits

15. Limitations of Baseline Scanning

  • Does not detect unknown vulnerabilities
  • Requires proper baseline definition
  • False positives possible
  • Needs regular updates
  • Requires access permissions

16. Cloud and Baseline Scanning

In cloud environments, baseline scanning checks:

  • IAM permissions
  • Public storage exposure
  • Encryption settings
  • Logging enabled
  • Security group configurations

Cloud misconfigurations are a major security risk, so baseline scanning is critical.

17. Key Exam Terms to Remember

For CySA+ CS0-003, remember:

  • Security baseline
  • Configuration compliance
  • Configuration drift
  • Secure configuration standards
  • Continuous monitoring
  • Automated scanning
  • Remediation
  • Deviation
  • Compliance reporting

18. Exam Scenario Tips

If the question mentions:

  • “Ensure systems follow approved configuration”
  • “Detect unauthorized configuration changes”
  • “Maintain compliance with secure configuration standard”
  • “Compare current configuration against approved template”
  • “Detect configuration drift”

The correct answer is most likely:

Security baseline scanning

If the question mentions:

  • Missing patches
  • Known CVEs
  • Exploitable software flaws

Then the answer is:

Vulnerability scanning (not baseline scanning)

Final Summary

Security baseline scanning ensures that systems:

  • Follow approved secure configuration standards
  • Do not drift from defined security policies
  • Remain compliant with regulatory requirements
  • Maintain reduced attack surface

It focuses on how systems are configured, not on whether software has known vulnerabilities.

For the CySA+ exam, clearly understand:

  • The difference between baseline scanning and vulnerability scanning
  • The importance of configuration drift detection
  • The role of compliance standards (CIS, NIST, etc.)
  • The importance of continuous monitoring

Mastering this topic will help you correctly answer scenario-based questions in Domain 2.1 of CS0-003.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by