MainWhat is Vulnerability Management
Vulnerability management is a systematic process to keep track of, assess, and remediate security weaknesses in software, firmware, and configurations, whether in-house or third-party products. its goals are to:
- Maintain awareness of known flaws (CVE entries)
- Assess severity (using CVSS scores)
- Prioritize fixes according to risk, resource constraints and impact
- Deploy mitigations (patches, configuration changes, isolation)
- Verify that vulnerabilities have been resolved and monitor for new ones
Key Components and Processes
| Step | Description |
|---|---|
| Inventory | Maintain an up-to-date list of all hardware, OS, applications, services and firmware in use. |
| Discovery | Regularly scan system(via network- or host-based tools) to detect versions and exposures |
| Identification (CVE IDs) | Map discovered issues to CVE identifiers which provide a unique label and link to detailed descriptions and references |
| Scoring (CVSS) | Use the Common Vulnerability Scoring System (0-10) to quantify a flaw’s base severity (attack vector, complexity, privileges), plus temporal and environmental modifiers. |
| Prioritization | Rank vulnerabilities by CVSS, business impact, exploit availability, and ease of remediation, so that limited resources target the highest risk first |
| Remediation | Apply patches or updates; change configurations; remove or isolate the vulnerable component; or adopt compensating controls (e.g network segmentation) |
| Verification and Reporting | Re-scan to confirm fixes, update tickets or dashboards, and document residual risk or accepted vulnerabilities. |
Databases and Standards
-
CVE (Common Vulnerabilities and Exposures):
- A catalogue of standardized IDs (CVE-yyyy-nnnn) assigned by authorities (CERTs, vendors, researchers) to every publicly known software flaw
- Exam question:
What are CVE identifiers used for?
Answer: CVE Ids uniquely label vulnerabilities for cross-referencing among databases and tools, enabling consistent tracking and coordination of fixes. -
NVD (National Vulnerability Database):
- Builds on CVE by adding CVSS scores, impact metrics, and links to patches.
- Exam question:
What benefit do vulnerability databases have for IT operations?
They centralize vulnerability details, severity ratings, and remediation guidance, helping operators quickly identify and prioritize issues in their environment -
CVSS (Common Vulnerability Scoring System):
- Base score (0-10) considers attack vector, complexity, privileges, interaction, scope, and CIA impact.
- Temporal score adapts as exploit code matures and patches ermerge.
- Environmental score tailors severity to an organization’s specific environment and business priorities.