SkarpChapter 15 of 25
Asset Management and Vulnerability Management Workflows
See why you cannot secure what you don’t know you have by tying asset inventories directly into structured vulnerability management processes.
Why Asset and Vulnerability Management Belong Together
Big Picture
Asset and vulnerability management are tightly linked: you cannot patch or protect systems you do not know exist. A solid asset inventory is the foundation of effective vulnerability management.
Asset Management Defined
Asset management means discovering, identifying, classifying, and tracking hardware, software, data stores, cloud services, user accounts, and more, including where they are and how critical they are.
Vulnerability Management Defined
Vulnerability management is the continuous process of finding, assessing, prioritizing, treating, and verifying remediation of security weaknesses across your assets.
Why It Matters
Inaccurate inventories lead to blind spots: scanners miss systems, reports are incomplete, and high-risk exposures remain. This directly impacts resilience, continuity, and audit readiness.
Hybrid Environments
In a hybrid environment, with on-premises, cloud, mobile, IoT, and OT, asset and vulnerability workflows must be structured and automated to keep up with constant change.
Asset Management Foundations: What Are We Tracking?
Types of Assets
Organizations track hardware, software, services, data, and accounts. Each of these can introduce vulnerabilities and must appear in the inventory to be secured.
Hardware and Software
Hardware includes servers, laptops, network gear, mobile, IoT, and OT. Software includes OSs, apps, libraries, plugins, containers, and firmware versions.
Services and Data
Service assets include cloud services, APIs, serverless, and managed security tools. Data assets include databases, file shares, backups, logs, and critical business datasets.
Identity Assets
User and privileged accounts, service accounts, API keys, and machine identities are also assets because compromise of these can be as damaging as device compromise.
Key Inventory Fields
Good inventories store ID, location, owner, function, criticality, environment, configuration, and lifecycle state so security teams can understand risk and plan controls.
Discovery and Inventory in a Hybrid Environment
Hybrid Discovery Problem
In a hybrid environment with on-premises, cloud, mobile, IoT, and OT, assets appear and disappear quickly. Security teams need structured discovery to keep up.
Network and Agent-Based Discovery
Network scanners probe IP ranges to find hosts and ports. Agent-based tools on endpoints and servers send detailed hardware and software info to a central system.
Cloud and Identity Sources
Cloud APIs list VMs, containers, storage, and functions. Directories and identity providers reveal users, devices, and groups that also count as assets.
Passive Monitoring
Passive monitoring inspects network traffic to spot unknown or rogue devices and services without actively probing them, useful where active scans are risky.
Challenges and Best Practice
Shadow IT, offline devices, and fragile OT/IoT complicate discovery. Continuous, automated discovery reduces blind spots and keeps vulnerability data accurate.
Vulnerability Management Lifecycle: The Core Workflow
Lifecycle Overview
Vulnerability management is a continuous cycle: discover assets, scan for weaknesses, assess results, prioritize, remediate or mitigate, validate, and report.
Discovery and Scanning
Discovery confirms the in-scope assets. Vulnerability scanning uses automated tools to probe systems, software, and configs for known weaknesses and misconfigurations.
Assessment and Prioritization
Assessment cleans up scan results and adds business context. Prioritization ranks issues by severity, criticality of the asset, exposure, and exploitability.
Remediation and Validation
Remediation or mitigation applies patches, config changes, or controls. Validation re-scans or tests to ensure vulnerabilities are actually fixed or risk is reduced.
Governance Angle
Governance, risk, and compliance expectations require a documented, repeatable vulnerability management process that can be audited and measured over time.
Vulnerability Scanning and Assessment: A Concrete Scenario
Scenario Setup
You are a junior analyst. Weekly authenticated scans run against 50 production Windows servers in both cloud and on-premises environments.
Scan Configuration
The scan uses domain credentials and checks OS patches, insecure services, and weak configurations like SMBv1. Scope and profiles are clearly defined.
Sample Results
Results show critical remote code execution issues on 5 servers, high-severity missing patches on 20, TLS 1.0 enabled on 10, plus many low or informational items.
Assessment Activities
You validate critical findings, map them to specific assets in the inventory, and analyze exposure: which servers are internet-facing and which are internal-only.
From Noise to Action
After assessment, you have a curated list of real vulnerabilities tied to business owners. This refined list drives prioritization and remediation decisions.
Prioritization: Asset Criticality, Exposure, and Risk
Why Prioritization Matters
You cannot fix everything at once. Prioritization focuses limited resources on the vulnerabilities that pose the greatest risk to the organization.
Severity and Criticality
Tools use CVSS scores, but a medium-severity issue on a highly critical asset can be more important than a high-severity issue on a low-criticality lab system.
Exposure Considerations
Internet-facing, flat networks, and third-party access increase exposure. Internal-only or heavily segmented systems may have lower effective risk.
Exploitability and Threat Intel
Known exploits, active attacks, and inclusion in common attack playbooks all increase priority, even if the base CVSS score is moderate.
Role of Asset Inventory
Integrated asset inventories let tools automatically attach criticality and ownership to findings, enabling targeted views like critical issues on Tier 1 systems.
From Finding to Fix: Remediation Workflows
Detection to Ticket
A critical RCE on an internet-facing login server is found. The tool auto-creates a ticket with asset details, severity, exposure, and an SLA for remediation.
Planning the Fix
The team chooses between patching, upgrading, disabling a feature, or adding a WAF rule. System owners and CAB ensure the plan aligns with uptime and continuity needs.
Implementing Changes
Changes are tested in staging, then rolled out in a maintenance window. Emergency change processes may apply for especially dangerous vulnerabilities.
Validation Step
After deployment, a re-scan confirms the vulnerability is gone. Only then is the ticket closed and remediation metrics updated for reporting.
Exam Trap
Be cautious of answers that ignore validation or formal change management when the scenario mentions uptime or business impact requirements.
Thought Exercise: Interpreting a Simple Scan Output
Use this thought exercise to practice interpreting vulnerability scan results conceptually and choosing next steps.
You receive the following simplified output for host `web-03` in production:
- Finding 1: CVE-2023-12345, CVSS 9.8 (Critical), remote code execution in web framework, public exploit available, affected version: 3.2.x. Detected: version 3.2.4.
- Finding 2: TLS 1.0 enabled on HTTPS listener, CVSS 5.0 (Medium), internal policy requires TLS 1.2 or higher.
- Finding 3: Verbose server banner reveals software name and version, CVSS 3.1 (Low).
Additional context from the asset inventory:
- `web-03` is internet-facing.
- It is part of the customer login cluster (Tier 1 criticality).
- There is a WAF in front of the cluster, currently using generic rules.
Your tasks (mentally or on paper):
- Rank the three findings in order of remediation priority and briefly justify your ranking using severity, criticality, and exposure.
- For the top-priority finding, list at least two possible remediation or mitigation actions.
- Identify what you would want to verify during validation after the fix.
When you are done, compare your reasoning to this outline:
- The RCE (Finding 1) on a Tier 1, internet-facing asset with public exploits should clearly rank first.
- Enforcing modern TLS (Finding 2) is important for policy and security but is less urgent than a live RCE.
- The verbose banner (Finding 3) is low-priority hardening.
The key is to tie scan data to asset context, not just read CVSS numbers in isolation.
Quiz 1: Asset and Discovery Basics
Check your understanding of asset management and discovery.
Which option best explains why continuous asset discovery is critical for effective vulnerability management in a hybrid environment?
- It ensures that only on-premises servers are scanned, reducing false positives.
- It keeps the asset inventory aligned with rapidly changing cloud, mobile, IoT, and on-premises resources so scanners can cover all relevant systems.
- It allows security teams to disable vulnerability scanning on legacy systems that might crash.
- It guarantees that every vulnerability can be remediated immediately after it is discovered.
Show Answer
Answer: B) It keeps the asset inventory aligned with rapidly changing cloud, mobile, IoT, and on-premises resources so scanners can cover all relevant systems.
In a hybrid environment, assets are constantly created, moved, or decommissioned across cloud, mobile, IoT, OT, and on-premises areas. Continuous discovery keeps the inventory accurate so vulnerability scans include all relevant systems. The other options are either too narrow, unsafe, or unrealistic.
Quiz 2: Prioritization and Next Steps
Test your ability to pick the best next step in the vulnerability workflow.
A scan reports a high-severity vulnerability on a development server and a medium-severity vulnerability on a production payment-processing server. Both are internal-only. According to good vulnerability management practice, what is the BEST next action?
- Fix the high-severity vulnerability on the development server first because its CVSS score is higher.
- Ignore both findings because they are not on internet-facing systems.
- Prioritize remediation of the medium-severity vulnerability on the production payment-processing server due to its higher business criticality.
- Immediately decommission both servers to eliminate risk.
Show Answer
Answer: C) Prioritize remediation of the medium-severity vulnerability on the production payment-processing server due to its higher business criticality.
Business criticality of the asset is a major factor in prioritization. Even though the development server has a higher technical severity, the production payment-processing server is more critical to the organization, so its medium-severity issue should be prioritized. The other options either ignore risk context or are unrealistic.
Key Term Flashcards: Assets and Vulnerabilities
Flip these cards (mentally) to reinforce key terms for Security+.
- Asset management
- The discipline of discovering, identifying, classifying, and tracking organizational assets such as hardware, software, services, data, and accounts so they can be protected and managed throughout their lifecycle.
- Vulnerability management
- A continuous process used to find, assess, prioritize, treat, and verify the remediation of security weaknesses across an organization’s assets.
- Hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- Governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.
- Asset criticality
- A measure of how important an asset is to business operations, safety, or regulatory obligations; higher criticality increases the priority of vulnerabilities found on that asset.
- Exposure (in vulnerability management)
- The degree to which a vulnerable asset can be reached or attacked, influenced by factors like internet-facing status, network segmentation, and access paths.
- Validation (in vulnerability management)
- The step where security teams confirm that remediation or mitigation actions have successfully reduced or eliminated a vulnerability, often by re-scanning or testing.
- Compensating control
- A security control that is put in place to satisfy a requirement or reduce risk when the primary or recommended control is not feasible or cannot be implemented immediately.
Connecting Vulnerability Management to Risk and Governance
Risk View
Each vulnerability on a critical asset represents a threat scenario. Prioritization is risk ranking: combining likelihood (exploitability, exposure) and impact (criticality, data sensitivity).
Governance Expectations
Policies define patch SLAs. Auditors review reports and tickets. Regulations and frameworks expect evidence of a structured, repeatable vulnerability management process.
Metrics and Reporting
Metrics like time to remediate critical issues or percentage of unpatched internet-facing systems feed into risk dashboards and executive reporting.
Security+ Domain Links
This topic touches General Security Concepts, Threats, Vulnerabilities, and Mitigations, Security Operations, and Security Program Management and Oversight.
Looking Ahead
As you practice with diagnostics and mock exams, focus on scenario questions that ask for the best next step, grounded in risk and governance requirements.
Key Terms
- CVSS
- Common Vulnerability Scoring System, a standardized way to capture the principal characteristics of a vulnerability and produce a numerical severity score from 0.0 to 10.0.
- Exposure
- The degree to which a vulnerable asset can be reached or attacked, influenced by factors like internet-facing status, network segmentation, and access paths.
- Validation
- The step in vulnerability management where security teams confirm that remediation or mitigation actions have successfully reduced or eliminated a vulnerability, often by re-scanning or testing.
- Asset management
- The discipline of discovering, identifying, classifying, and tracking organizational assets such as hardware, software, services, data, and accounts so they can be protected and managed throughout their lifecycle.
- Asset criticality
- A measure of how important an asset is to business operations, safety, or regulatory obligations; higher criticality increases the priority of vulnerabilities found on that asset.
- Hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- Compensating control
- A security control that is put in place to satisfy a requirement or reduce risk when the primary or recommended control is not feasible or cannot be implemented immediately.
- Vulnerability management
- A continuous process used to find, assess, prioritize, treat, and verify the remediation of security weaknesses across an organization’s assets.
- Remote code execution (RCE)
- A class of vulnerability that allows an attacker to run arbitrary code on a target system, often leading to full compromise.
- Governance, risk, and compliance
- Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.