Skip to content

Vulnerability Scanning and Management

Vulnerability lifecycle management: scanning with Nessus and OpenVAS, CVE/CVSS scoring interpretation, authenticated vs unauthenticated scans, patch management process, and vulnerability prioritization.

Key Facts

  • Authenticated scans find significantly more vulnerabilities than unauthenticated scans
  • CVSS base score alone is misleading - environmental context determines actual risk
  • Critical systems should be scanned weekly; others monthly at minimum
  • Patch management requires testing in staging before production deployment
  • False positive management is critical - unverified findings undermine report credibility
  • Scanning cadence should be risk-based, not just calendar-based

Scanning Tools

Nessus

Commercial scanner (free Essentials for 16 IPs): - Comprehensive plugin library updated regularly - Compliance scanning (CIS, PCI DSS, DISA STIG) - Credential-based scanning for deeper analysis - Reporting and trending over time

OpenVAS / GVM

Open-source alternative: - Community feed with vulnerability tests - Web-based management interface - Scheduled scanning capabilities - Good for continuous monitoring on a budget

Scan Types

Type Access Depth Use Case
Unauthenticated External only Surface-level External attack surface
Authenticated Credentials provided Deep Internal assessment, compliance
Agent-based Installed agent Deepest Continuous monitoring

CVE / CVSS / NVD

CVE (Common Vulnerabilities and Exposures)

Unique identifier format: CVE-YEAR-NUMBER (e.g., CVE-2021-44228 for Log4Shell).

CVSS (Common Vulnerability Scoring System)

0-10 severity scale with three metric groups: - Base - intrinsic characteristics (attack vector, complexity, privileges, impact) - Temporal - exploit maturity, remediation level, report confidence - Environmental - customized for your organization (modified impact, target distribution)

Score Severity
0.0 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical

NVD (National Vulnerability Database)

NIST-maintained database linking CVEs with CVSS scores, references, and CPE (affected products).

Patch Management Lifecycle

  1. Discovery - scan for missing patches
  2. Assessment - evaluate applicability and risk
  3. Testing - apply patches in staging/test environment
  4. Deployment - phased rollout to production
  5. Verification - confirm patches applied successfully
  6. Documentation - record changes for audit trail

Prioritization

Not all vulnerabilities need immediate patching: - CVSS 9.0+ with known exploit = patch immediately - CVSS 7.0-8.9 on internet-facing systems = patch within 7 days - CVSS 4.0-6.9 on internal systems = patch within 30 days - Compensating controls (WAF rules, network segmentation) as interim measures

Gotchas

  • Vulnerability scanners generate noise - automated findings require manual verification
  • Unauthenticated scans miss most local vulnerabilities (installed software, config issues)
  • CVSS scores do not account for your specific environment - a "Critical" finding on an isolated test server is not actually critical
  • Scanning production systems during business hours can cause performance degradation
  • "Zero-day" = no patch available yet; focus on compensating controls and detection
  • Patch deployment without testing can cause application breakage in production

See Also

  • [[information-security-fundamentals]] - risk management context
  • [[penetration-testing-methodology]] - vulnerability scanning in pentesting
  • [[compliance-and-regulations]] - scanning requirements (PCI DSS quarterly ASV)
  • [[siem-and-incident-response]] - vulnerability-related alerting