SkarpChapter 17 of 27
Vulnerability Management: Scanning, Prioritization, and Remediation Workflows
Follow the full vulnerability management lifecycle, from scanning and triage to coordinated remediation and verification across complex environments.
Big Picture: What Is Vulnerability Management?
What Is Vulnerability Management?
Vulnerability management is the ongoing process of discovering, assessing, prioritizing, treating, and re-assessing vulnerabilities across an organization’s assets so that risk stays within acceptable limits.
Lifecycle Overview
A typical VM lifecycle: 1) Prepare and scope, 2) Discover and scan, 3) Analyze and validate, 4) Prioritize, 5) Remediate or mitigate, 6) Handle exceptions and acceptance, 7) Verify and report, 8) Continuously improve.
Why It Matters for Security+
On SY0-701, VM questions check if you can place scanning in context, pick the right treatment option, and interpret and prioritize findings realistically in complex, hybrid environments.
Step 1: Preparing and Scoping Your Vulnerability Program
Why Plan Before Scanning?
Planning links VM to asset management and governance, risk, and compliance. You must know what exists, what is in scope, and who owns each system before scanning.
Key Scoping Decisions
Decide which assets to include, how often to scan, when to run scans in relation to business hours, and which teams are responsible for remediation.
SLA and Hybrid Considerations
Define remediation SLAs by severity and asset type, and choose methods that fit on-prem, cloud, and OT systems without disrupting critical operations.
Step 2: Types of Vulnerability Scanning and Tools
Scanning by Method
Network-based scans probe IP ranges and ports; agent-based scans run from inside hosts; web app scanners attack HTTP endpoints; cloud scanners use APIs to check misconfigurations.
Authenticated vs Unauthenticated
Authenticated scans log into systems and see detailed software and configs. Unauthenticated scans see only what an external attacker sees, useful for perimeter views.
Balancing Coverage and Safety
Use a mix of scan types to cover your hybrid environment, while choosing safe modes for fragile systems and coordinating aggressive scans with system owners.
Example: Designing a Scan Strategy for a Hybrid Environment
Scenario Overview
You support a cloud e-commerce site, on-prem ERP, 500 remote laptops, and some OT HVAC controllers. Your goal is to design a realistic vulnerability scanning approach.
Scanning IT Systems
Use external and web app scans for the public website, authenticated scans for internal ERP servers, and agent-based scans for remote laptops so they are covered off-VPN.
Handling OT Safely
For OT HVAC controllers, avoid aggressive scans. Prefer passive monitoring or vendor-approved tools, and coordinate any active checks with the OT team.
Step 3: Understanding and Triaging Scan Results
Anatomy of a Finding
Each finding usually includes the asset, a vulnerability ID (often CVE), a severity rating, description, evidence, and a recommended remediation or mitigation.
First-Pass Triage
Group by asset criticality, remove obvious false positives, check whether the vulnerable service is exposed, and tag issues by type to prepare for handoff.
False Positives vs Negatives
False positives are reported but not real; false negatives are missed real issues. Good triage reduces false positives but you must also be aware of possible gaps.
Step 4: Prioritization and Risk Scoring (Beyond Just CVSS)
CVSS Is a Starting Point
CVSS base scores (0.0–10.0) map to Low, Medium, High, and Critical severities, but they do not account for your specific environment or threat activity.
Contextual Factors
Consider exploitability in the wild, internet exposure, business impact, compensating controls, and SLA age when deciding what to fix first.
Common Exam Trap
On the exam, a medium CVSS vuln on a critical, internet-facing server can be more urgent than a critical vuln on an isolated lab machine.
Thought Exercise: Prioritizing Vulnerabilities
Use this scenario to practice risk-based prioritization.
You have three findings from a recent scan:
- Finding A
- CVSS: 9.8 (Critical)
- Asset: Internal lab file server used for test data only.
- Exposure: Internal network only, behind multiple firewalls, no VPN access from the internet.
- Exploits: No public exploit yet; vendor advisory says “complex attack chain.”
- Finding B
- CVSS: 7.5 (High)
- Asset: Public web server hosting customer portal.
- Exposure: Directly internet-facing.
- Exploits: Public exploit code available; security blogs report active exploitation.
- Finding C
- CVSS: 5.3 (Medium)
- Asset: Domain controller.
- Exposure: Internal only, but reachable from all domain-joined machines.
- Exploits: No public exploit, but misconfiguration allows weak encryption for Kerberos.
Your task:
- Rank these three findings in the order you would address them.
- For each, write (mentally or in notes) a one-sentence justification using exposure, impact, and exploitability.
Suggested reasoning (do not peek until you decide):
- Many practitioners would prioritize B first because of active exploitation and internet exposure.
- Next could be C, since compromise of a domain controller can be catastrophic, even with a medium CVSS.
- A might be last: high CVSS, but low business impact and tightly isolated.
This is exactly the kind of reasoning you need both in real operations and on Security+ scenario questions.
Step 5: Remediation, Mitigation, and Risk Acceptance
What Is Remediation?
Remediation fully fixes the vulnerability, such as applying a patch, upgrading software, or removing a vulnerable component so the specific attack is no longer possible.
What Is Mitigation?
Mitigation reduces likelihood or impact without removing the root cause, such as adding WAF rules, hardening firewalls, or increasing monitoring around a vulnerable service.
What Is Risk Acceptance?
Risk acceptance is a formal management decision to live with a vulnerability, documented with justification, owner, and review date, often supported by compensating controls.
Example: Building a Remediation Workflow
From Finding to Ticket
Analysts validate critical findings, open tickets with CVE, severity, affected assets, and SLA-based due dates, and assign them to application and infrastructure owners.
Plan, Patch, and Mitigate
Teams coordinate maintenance windows, apply patches in test then production, and use temporary mitigations like WAF rules if patching must be delayed.
Verify and Close the Loop
After changes, analysts rescan to confirm the vulnerability is gone before closing tickets, or re-open them if issues remain.
Quiz 1: Scan Types and Prioritization
Answer this question to check your understanding of scan types and prioritization.
Your organization wants to understand exactly which patches are missing on remote employee laptops that rarely connect to the VPN. Which scanning approach is MOST appropriate, and which factor should you consider first when prioritizing the resulting vulnerabilities?
- A. Unauthenticated external network scanning; prioritize strictly by CVSS score
- B. Agent-based scanning; prioritize by asset criticality and exploitability in the wild
- C. Web application scanning; prioritize by age of the CVE only
- D. Authenticated internal scanning from the data center; prioritize only internet-facing systems
Show Answer
Answer: B) B. Agent-based scanning; prioritize by asset criticality and exploitability in the wild
Agent-based scanning is best for remote laptops that are often off-VPN, because the agent reports in over the internet. Prioritization should consider asset criticality and whether vulnerabilities are being actively exploited, not just raw CVSS scores or CVE age.
Quiz 2: Remediation vs Mitigation vs Acceptance
Test your ability to distinguish vulnerability treatment options.
A legacy application runs only on an outdated operating system that is no longer supported and has multiple known vulnerabilities. The business cannot replace it for 18 months. Security isolates the system on its own VLAN, restricts access to a few jump hosts, and implements strict monitoring. Management signs a document acknowledging the remaining risk. Which TWO treatment types are BEST represented?
- A. Remediation and mitigation
- B. Mitigation and risk acceptance
- C. Remediation and risk acceptance
- D. Risk avoidance and remediation
Show Answer
Answer: B) B. Mitigation and risk acceptance
Isolating the system, adding access controls, and monitoring are mitigations that reduce likelihood and impact without fixing the root vulnerabilities. Management’s signed acknowledgment of the remaining risk is risk acceptance. There is no full remediation or avoidance here because the vulnerable system remains in use.
Step 6: Exception Handling, Reporting, and Continuous Improvement
Handling Exceptions
Exception handling formalizes risk acceptance: owners request, security reviews, management approves with scope, controls, and an expiration date, never an open-ended waiver.
Reporting and Metrics
Track counts by severity, mean time to remediate, SLA compliance, and trends over time to show progress and justify investments in tools and staffing.
Continuous Improvement
Use incidents and metrics to refine asset inventory, scan coverage, ownership, and integrations with SOC monitoring, then repeat the VM cycle.
Key Term Review: Vulnerability Management
Flip through these flashcards to reinforce core concepts before moving on.
- Vulnerability management
- The ongoing process of discovering, assessing, prioritizing, treating, and re-assessing vulnerabilities across an organization’s assets to keep risk within acceptable limits.
- Network-based vulnerability scan
- A scan that probes IP ranges and ports from the network to identify hosts, services, and known vulnerabilities based on service responses and banners.
- Agent-based vulnerability scan
- A scanning approach that uses lightweight agents installed on endpoints or servers to collect local software, configuration, and patch information, even when devices are off-network.
- Authenticated (credentialed) scan
- A vulnerability scan that logs into target systems with valid credentials to gather detailed information, reducing false positives and improving accuracy.
- CVSS
- The Common Vulnerability Scoring System, which assigns a base score from 0.0 to 10.0 to rate the severity of vulnerabilities and map them to Low, Medium, High, or Critical categories.
- Remediation
- A treatment option that fully fixes the underlying vulnerability, such as applying a patch, upgrading software, or removing a vulnerable component.
- Mitigation
- A treatment option that reduces the likelihood or impact of exploitation without eliminating the root cause, often by adding controls like firewalls, WAF rules, or monitoring.
- Risk acceptance
- A formal management decision to live with a vulnerability’s residual risk, documented with justification, scope, approver, and review date.
- Compensating control
- An alternate control that provides comparable protection when a standard or preferred control (such as patching) cannot be implemented.
- Hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- Zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- Governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
Key Terms
- CVSS
- Common Vulnerability Scoring System, a standardized framework for rating the severity of software vulnerabilities on a scale from 0.0 to 10.0.
- mitigation
- Actions that reduce the likelihood or impact of exploitation but do not remove the underlying vulnerability.
- remediation
- Actions that fully resolve a vulnerability, such as patching or upgrading software so the weakness no longer exists.
- risk acceptance
- A conscious, documented decision by management to tolerate the residual risk of a vulnerability instead of remediating it.
- agent-based scan
- A vulnerability assessment method that uses installed agents on endpoints or servers to collect local data about software, patches, and configurations.
- authenticated scan
- A scan that uses valid credentials to log into target systems for detailed, accurate vulnerability detection.
- exception handling
- The process of requesting, reviewing, approving, and documenting deviations from standard vulnerability remediation requirements.
- network-based scan
- A vulnerability assessment performed over the network that probes IP ranges and ports to discover hosts, services, and potential vulnerabilities.
- vulnerability scan
- An automated process that examines systems, applications, or configurations to identify known vulnerabilities or misconfigurations.
- compensating control
- An alternative security control that achieves a similar risk reduction when the preferred control cannot be implemented.
- unauthenticated scan
- A scan that tests systems without logging in, seeing only what an external or unauthenticated attacker could see.
- vulnerability management
- The ongoing process of discovering, assessing, prioritizing, treating, and re-assessing vulnerabilities across an organization’s assets to keep risk within acceptable limits.
- risk-based prioritization
- The practice of ranking vulnerabilities not only by technical severity but also by exploitability, exposure, and business impact.
- ITSM (IT Service Management)
- A set of processes and tools used to manage IT services, including change management and ticketing for remediation tasks.
- MTTR (Mean Time to Remediate)
- An operational metric that measures the average time it takes to fix identified vulnerabilities.