Vulnerability Management Lifecycle

A Vulnerability Management Lifecycle (VML) is the process of finding, assessing, fixing, and
monitoring security weaknesses (vulnerabilities) in a system. This helps organizations stay secure
from cyber threats.

🔹 1. Vulnerability Overview – What is a Vulnerability?

A vulnerability is a weakness in software, hardware, or networks that hackers can exploit to

attack a system.

🔹 Types of Vulnerabilities:
✅ Software Bugs – Errors in code (e.g., outdated software).
✅ Weak Passwords – Easy-to-guess passwords like "123456".
✅ Misconfigurations – Incorrect security settings in systems.
✅ Unpatched Systems – Systems missing security updates.

✅ Example: A website using an outdated version of WordPress may have security flaws that
hackers can exploit.

🔹 2. The Vulnerability Management Lifecycle (VML) – 6 Key Steps

1️⃣ Identification – Find Vulnerabilities

📌 The first step is scanning systems to detect weaknesses.

🔹 Tools Used:
✅ Nessus, Qualys, OpenVAS – Automated scanning tools.
✅ Manual Testing – Security experts manually check for vulnerabilities.
✅ Penetration Testing – Ethical hackers simulate real attacks.

✅ Example: A company runs Nessus to scan its servers and finds 10 security vulnerabilities.

2️⃣ Prioritization – Decide What to Fix First

📌 Not all vulnerabilities are critical. Some may not even be dangerous.

🔹 How to Prioritize?
✅ CVSS Score – Rates vulnerabilities from 0 (low) to 10 (critical).
✅ Exploitability – Can hackers easily use this vulnerability?
✅ Impact – Will this vulnerability cause financial or data loss?
✅ Compliance Issues – Does this violate security regulations (GDPR, PCI DSS, etc.)?
✅ Example: A vulnerability with a CVSS score of 9.8 (Critical) gets fixed first, while a CVSS 3.2
(Low) can be scheduled for later.

3️⃣ Remediation – Fix Vulnerabilities

📌 The next step is to fix the weaknesses found during scanning.

🔹 Ways to Fix Vulnerabilities:

✅ Patching – Install security updates.
✅ Configuration Changes – Adjust settings for better security.
✅ Remove Unused Services – Disable software/services not needed.

✅ Example: If a company finds a vulnerability in its web server, they install a security patch to fix
it.

4️⃣ Verification – Check if Fixes Worked

📌 After fixing vulnerabilities, re-scan the system to ensure the issue is resolved.

🔹 Steps in Verification:
✅ Test the fix using vulnerability scanners.
✅ Perform penetration testing to see if hackers can still exploit it.
✅ Validate system logs to ensure no suspicious activity remains.

✅ Example: A company applies a security patch and then re-scans to confirm the vulnerability is
gone.

5️⃣ Monitoring – Continuous Scanning & Reporting

📌 Cyber threats keep evolving, so companies must regularly monitor their systems.

🔹 Best Practices for Monitoring:

✅ Schedule regular vulnerability scans (weekly or monthly).
✅ Use SIEM (Security Information & Event Management) systems for real-time alerts.
✅ Analyze security reports for new threats.

✅ Example: A company schedules Nessus scans every week to catch new vulnerabilities early.

6️⃣ Improvement – Strengthen Security Over Time

📌 The final step is to improve security practices to prevent future vulnerabilities.
🔹 How to Improve?
✅ Train employees on cybersecurity awareness.
✅ Implement a strong patch management policy.
✅ Review past incidents to learn from mistakes.

✅ Example: After a security breach, a company updates its security policies to avoid similar
attacks in the future.

🔹 Summary Table 🔹

Step What Happens? Example

1.
Scan for security weaknesses. A company uses Nessus to find vulnerabilities.
Identification

Decide which vulnerabilities to A critical bug (CVSS 9.8) gets fixed before a
2. Prioritization
fix first. low-risk bug (CVSS 2.5).

3. Remediation Fix the vulnerabilities found. Install a security patch to fix a software bug.

4. Verification Test if the fix worked. Re-scan the system after applying a patch.

Continuously scan for new

5. Monitoring Schedule weekly vulnerability scans.
threats.

6. Train employees on cybersecurity best

Strengthen security over time.
Improvement practices.

Vulnerability Systems and Databases

Vulnerability management involves detecting, analyzing, and fixing weaknesses in a system. To

help organizations stay secure, security professionals use vulnerability systems and databases to
track known issues.

🔹 1. Examining Vulnerability Scan Output

A vulnerability scan is an automated process that checks for security flaws in a network, system,
or application. The scan output provides a report listing detected vulnerabilities.
🔹 What’s in the Scan Report?
✅ Vulnerability Name – The name of the issue (e.g., “SQL Injection Vulnerability”).
✅ Severity Level – Categorized as Low, Medium, High, or Critical.
✅ CVSS Score – A numerical score (0-10) indicating risk level.
✅ Affected Systems – The servers, networks, or applications affected.
✅ Recommended Fixes – Suggested steps to fix the issue.

🔹 Example:
A company runs a Nessus scan and gets the following output:
✅ Vulnerability: OpenSSH Server Outdated
✅ Severity: High
✅ CVSS Score: 8.5
✅ Affected System: Web Server
✅ Fix: Update OpenSSH to the latest version

🔹 Why It’s Important?

📌 Helps identify security risks before hackers exploit them.
📌 Helps prioritize vulnerabilities based on risk.

🔹 2. Common Vulnerabilities and Exposures (CVE)

📌 CVE (Common Vulnerabilities and Exposures) is a public database that keeps track of known
security vulnerabilities. Each vulnerability gets a unique CVE ID for easy reference.

🔹 CVE Format:
CVE-[Year]-[ID Number]
✅ Example: CVE-2023-12345 (A vulnerability discovered in 2023).

🔹 Where is CVE Used?

✅ Security scanners like Nessus, Qualys, OpenVAS use CVE IDs to identify issues.
✅ Companies check CVE databases to find and fix vulnerabilities in their systems.

🔹 Example of a CVE Entry:

✅ CVE-2021-44228 – Log4Shell vulnerability (A severe issue in Java applications).

🔹 Why It’s Important?

📌 Helps security teams quickly identify and fix known vulnerabilities.
📌 Provides a standardized system for tracking security flaws worldwide.
🔹 3. Common Vulnerability Scoring System (CVSS)

📌 CVSS (Common Vulnerability Scoring System) is a method to rate the severity of a

vulnerability. It assigns a score from 0 to 10 based on risk level.

🔹 CVSS Score Levels:

✅ 0.0 – 3.9 (Low Risk) – Minor issue, unlikely to be exploited.
✅ 4.0 – 6.9 (Medium Risk) – May cause moderate security issues.
✅ 7.0 – 8.9 (High Risk) – Serious risk, hackers can exploit it easily.
✅ 9.0 – 10.0 (Critical Risk) – Highly dangerous, must be fixed immediately.

🔹 How is the Score Calculated?

Factors that affect the CVSS score:
✅ Exploitability – How easy is it for hackers to exploit?
✅ Impact – How much damage does it cause?
✅ Attack Vector – Can it be exploited remotely or only locally?
✅ User Interaction – Does it require a user to click something?

🔹 Example:
A security vulnerability is discovered in a company’s database.
✅ Exploitability: Easy to exploit
✅ Impact: Data breach risk
✅ Attack Vector: Can be exploited remotely
✅ User Interaction: No user interaction needed
✅ Final CVSS Score: 9.2 (Critical)

🔹 Why It’s Important?

📌 Helps organizations prioritize which vulnerabilities to fix first.
📌 Provides a consistent way to measure risk.

🔹 4. Common Weakness Enumeration (CWE)

📌 CWE (Common Weakness Enumeration) is a list of common coding mistakes and security
flaws that lead to vulnerabilities. Unlike CVE (which tracks specific vulnerabilities), CWE focuses
on patterns of weaknesses.

🔹 Example of CWE Weaknesses:

✅ CWE-79 – Cross-Site Scripting (XSS) – A flaw that allows hackers to inject malicious scripts into
web pages.
✅ CWE-89 – SQL Injection – A vulnerability that lets hackers manipulate databases.
✅ CWE-22 – Path Traversal – Attackers access restricted files on a server.
🔹 Why It’s Important?
📌 Helps developers understand common coding mistakes.
📌 Used to prevent vulnerabilities by writing more secure code.

🔹 Summary Table 🔹
Concept What It Does? Example

Shows detected security Nessus finds an outdated

Vulnerability Scan Output
weaknesses. OpenSSH server.

CVE (Common
Public database of known CVE-2021-44228 (Log4Shell
Vulnerabilities and
vulnerabilities. bug).
Exposures)

CVSS (Common
Rates the severity of vulnerabilities A CVSS 9.2 bug is critical and
Vulnerability Scoring
(0-10). needs immediate fixing.
System)

CWE (Common Weakness List of common programming CWE-89 (SQL Injection) – A

Enumeration) errors leading to security flaws. common database attack.

Factors for Vulnerability Management Programs

A Vulnerability Management Program (VMP) helps organizations find, fix, and

prevent security weaknesses in their systems. It ensures that cyber threats are handled
before they can cause harm.

Here are the key factors that make a strong Vulnerability Management Program (VMP):

1️⃣ Defining Scope – What to Protect?

📌 Scope means deciding what systems, applications, and networks need protection.

🔹 Internal vs. External Systems – Are you securing internal company systems or public-
facing websites?
🔹 Cloud vs. On-Premises – Are your systems in the cloud or on company-owned
servers?
🔹 Critical Assets First – Focus on protecting the most important systems (e.g., customer
databases, payment systems).
✅ Example: A bank may focus on protecting its online banking system first before
securing employee email accounts.

2️⃣ Compliance & Regulatory Frameworks – Following the Rules

📌 Many industries have security regulations to follow, ensuring sensitive data is

protected.

🔹 GDPR (General Data Protection Regulation) – Protects personal data in Europe.

🔹 PCI DSS (Payment Card Industry Data Security Standard) – Required for
businesses handling credit card data.
🔹 ISO 27001 – A global standard for managing cybersecurity risks.
🔹 HIPAA (Health Insurance Portability and Accountability Act) – Protects healthcare
data.

✅ Example: A hospital must follow HIPAA rules to protect patient records from
hackers.

3️⃣ Vulnerability Assessment Methods – Finding Weaknesses

📌 Different ways to scan and identify security weaknesses in systems.

🔹 Automated Scanning – Uses tools like Nessus, Qualys, or OpenVAS to scan systems
for known vulnerabilities.
🔹 Manual Testing – Security experts manually check for weaknesses missed by
scanners.
🔹 Penetration Testing – Ethical hackers simulate real attacks to find critical security
gaps.
🔹 Configuration Reviews – Ensuring systems are set up securely (e.g., no default
passwords).

✅ Example: A company uses Nessus to scan their network weekly for vulnerabilities.

4️⃣ Triaging Vulnerabilities – Prioritizing What to Fix First

📌 Not all vulnerabilities are equally dangerous. Triaging means deciding which ones to
fix first.

🔹 CVSS Score (Common Vulnerability Scoring System) – Rates vulnerabilities from 0

(low risk) to 10 (critical risk).
🔹 Exploitability – Is this weakness easy for hackers to use?
🔹 Business Impact – Will this weakness harm customers or the company’s reputation?
🔹 Regulatory Impact – Will this weakness cause compliance violations?

✅ Example: A company fixes a "critical" vulnerability (CVSS 9.8) that allows remote
hackers to take control of their servers before fixing a "low-risk" bug (CVSS 2.0) in an
employee app.

5️⃣ Improving the Vulnerability Management Program – Getting Better Over

Time

📌 A good security program evolves and gets better based on new threats.

🔹 Regular Scanning – Run vulnerability scans weekly or monthly instead of once a

year.
🔹 Patch Management – Apply security updates quickly to fix known vulnerabilities.
🔹 Employee Training – Teach employees about phishing, malware, and security best
practices.
🔹 Incident Response Plan – Have a clear plan to handle security incidents.

✅ Example: A company updates its security policies every 6 months based on new
hacking techniques.

🔹 Summary Table 🔹

Factor What It Means Example

Decide which systems need A bank secures customer
Defining Scope
protection. accounts first.
Compliance & Follow security laws like A hospital follows HIPAA to
Regulations GDPR, PCI DSS, HIPAA. protect patient data.
Vulnerability Scan and test for security A company runs weekly Nessus
Assessment Methods weaknesses. scans.
Triaging Fix the most dangerous A business fixes a critical bug
Vulnerabilities vulnerabilities first. (CVSS 9.8) before a minor one.
Continuously update security A company trains employees on
Improving VMP
processes. phishing risks.