Vulnerability Management: Study Notes

1. Introduction to Vulnerabilities

 Definition: A vulnerability is a flaw or weakness in software that

can be exploited by a threat actor to compromise an IT system.

 Common Outcomes of exploitation:

o Data exfiltration

o System control (e.g., remote code execution)

o Ransomware deployment

2. Key Terms

 Vulnerability: A software weakness that can be exploited.

 Threat: An entity (individual or group) actively looking to exploit

vulnerabilities.

 Risk: The potential damage or loss that can result if a vulnerability

is successfully exploited by a threat.

Example:

 Vulnerability: Outdated Windows server with RCE flaw.

 Threat: Ransomware gang.

 Risk: Financial losses due to system downtime and data recovery.

3. CVE and CVSS

 CVE (Common Vulnerabilities and Exposures):

o An identifier for known vulnerabilities.

o Format: CVE-YYYY-XXXX

 CVSS (Common Vulnerability Scoring System):

o Measures severity of a vulnerability (scale of 0–10).

o Managed by NVD (National Vulnerability Database),

maintained by NIST.

CVSS Metric Groups:

 1. Base Metrics:

o Exploitability: Ease of exploitation.

o Impact: Potential consequence of a successful exploit.

2. Temporal Metrics:

o Change over time (e.g., availability of exploit kits or patches).

3. Environmental Metrics:

o Specific to an organization’s environment (e.g., existing

security controls, system importance).

4. Vulnerability Management Lifecycle

A continuous process involving multiple teams such as:

 Vulnerability Management

 IT Risk/Compliance

 Patching/Infrastructure

Steps:

1. Discover:

o Identify vulnerabilities using:

 Remote scans

 Agent-based scans

2. Prioritize Assets:

o Consider if assets are:

 In DMZ (demilitarized zone)

 Public facing

 Contain crown jewels (critical business data)

 Hosting mission-critical applications

3. Assess and Triage:

o Focus on CVSS ≥ 7 (high severity, often exploited)

o Triage results based on exploitability and business impact

4. Report:
 o Create clear, actionable reports

o Show affected assets and severity rankings

5. Remediate:

o Primarily via patches and system upgrades

o Based on priority in the report

6. Verify:

o Conduct follow-up scans post-remediation

o Manual checks where necessary

5. Scanning Strategies

Types of Scans:

1. Remote Scans:

o Conducted externally

o Emulates attacker perspective

o Focused on public IPs, external exposure

2. Agent-Based Scans:

o Internal scanning from the asset

o High fidelity results (registry, config files)

3. Authenticated Scans:

o Use system credentials

o Provide in-depth, accurate vulnerability data

4. Unauthenticated Scans:

o No credentials used

o Surface-level analysis

Attack Surface Management:

 Involves scanning external-facing systems

 Identifies what attackers can see

 Often reveals firewall misconfigurations or exposed ports

Internal Vulnerability Scanning:

  Essential for detecting lateral movement opportunities

 Attackers already inside the network may exploit these

6. Risk Management for Scanning

 Some devices (e.g., IP cameras, sensitive systems) can be disrupted

by scans.

 Steps to manage:

1. Get risk acceptance from risk/compliance teams.

2. Add devices/IPs to scanner exemption lists.

3. Apply network segmentation to reduce exposure.