Vulnerability Management Lifecycle

What the Exam Is Really Testing

Any automated scanner can produce a list of vulnerabilities. Run one against a corporate network and you will get hundreds, maybe thousands, of findings. The hard part is not the discovery — it is everything that comes after. Which ones matter most? What do you patch first? What do you do when a patch is not available yet?

Finding vulnerabilities is easy. Managing them — prioritizing, remediating, verifying, and repeating — is the actual discipline.

The exam tests the full lifecycle: scanning, scoring, disclosure, patching, and compensating controls. It also tests whether you know the difference between a vulnerability assessment and a penetration test, and when each one is the right call.

Vulnerability Scanning

Vulnerability scanning is the automated process of identifying known weaknesses in systems, applications, and configurations. Scanners compare system attributes against databases of known vulnerabilities.

Credentialed vs. Non-Credentialed Scans

• Credentialed (authenticated) — The scanner logs into the system with valid credentials. It can see installed software versions, registry settings, patch levels, and local configurations. Produces more accurate, comprehensive results with fewer false positives.
• Non-credentialed (unauthenticated) — The scanner probes from outside without logging in, seeing only what is exposed on the network. Faster to set up but produces more false positives and misses internal vulnerabilities.

For the exam: credentialed scans are always more accurate and thorough. If a question asks about reducing false positives or getting complete results, credentialed scanning is the answer.

Internal vs. External Scans

• Internal scans — Run from inside the network. Identifies vulnerabilities visible to internal users and attackers who have already breached the perimeter.
• External scans — Run from outside the network (often by a third party). Shows what is exposed to the internet. Required by compliance frameworks like PCI DSS.

A complete vulnerability management program runs both. External scans alone miss internal threats; internal scans alone miss what attackers see from outside.

CVE and CVSS Scoring

CVE (Common Vulnerabilities and Exposures)

CVE is a standardized naming system for publicly known vulnerabilities. Each vulnerability receives a unique identifier (e.g., CVE-2024-12345) that allows consistent reference across tools, vendors, and organizations.

CVSS (Common Vulnerability Scoring System)

CVSS assigns a numerical severity score from 0.0 to 10.0 based on multiple factors:

• Base score — Intrinsic characteristics of the vulnerability (attack vector, complexity, privileges required, impact on confidentiality/integrity/availability)
• Temporal score — Factors that change over time (exploit code availability, patch availability, report confidence)
• Environmental score — Factors specific to your organization (how critical the affected system is to your business)

CVSS severity ratings:

• Critical: 9.0 – 10.0
• High: 7.0 – 8.9
• Medium: 4.0 – 6.9
• Low: 0.1 – 3.9

For the exam: CVSS base scores do not account for your specific environment. Prioritization should consider the environmental context — a medium-severity vulnerability on a critical system may demand faster remediation than a high-severity vulnerability on an isolated test server.

Penetration Testing

Penetration testing goes beyond scanning. It actively attempts to exploit vulnerabilities to determine real-world impact.

Penetration Testing Phases

1. Planning and scoping — Define rules of engagement, targets, boundaries, and authorization
2. Reconnaissance — Gather information (passive and active) about the target
3. Scanning and enumeration — Identify live hosts, open ports, services, and potential vulnerabilities
4. Exploitation — Attempt to exploit identified vulnerabilities to gain access
5. Post-exploitation — Determine what an attacker could do after gaining access (lateral movement, privilege escalation, data exfiltration)
6. Reporting — Document findings, risk ratings, and remediation recommendations

Testing Approaches

• Black box — Tester has no prior knowledge of the environment. Simulates an external attacker.
• White box — Tester has full knowledge (network diagrams, source code, credentials). Most thorough.
• Gray box — Tester has partial knowledge. Simulates an insider or attacker with some reconnaissance.

Vulnerability Assessment vs. Penetration Test

• Vulnerability assessment — Identifies and catalogs vulnerabilities. Does not exploit them. Broader scope, less depth.
• Penetration test — Attempts to exploit vulnerabilities to prove real-world impact. Narrower scope, greater depth.

Both are necessary. Assessments provide breadth; penetration tests provide proof.

Vulnerability Disclosure

When vulnerabilities are discovered, how they are communicated matters:

• Responsible disclosure — The researcher privately notifies the vendor, gives them time to develop a patch, then publishes the vulnerability after the fix is available. The industry standard.
• Full disclosure — The researcher publishes the vulnerability publicly, often immediately. Forces rapid vendor response but exposes users to risk before patches exist.
• Bug bounty programs — Organizations pay researchers who responsibly report vulnerabilities. Incentivizes ethical disclosure over black market sales.

Patch Management

Patching is the primary remediation method for known vulnerabilities. An effective patch management lifecycle includes:

1. Identification — Monitor vendor releases and vulnerability feeds for applicable patches
2. Evaluation — Assess the patch's relevance and urgency for your environment
3. Testing — Deploy in a test environment to verify it does not break functionality
4. Approval — Obtain change control approval for production deployment
5. Deployment — Roll out to production systems, often in phases
6. Verification — Confirm patches were successfully applied and vulnerabilities resolved

Compensating Controls

When a patch cannot be applied immediately (compatibility issues, system availability requirements, vendor delay), compensating controls reduce risk:

• Network segmentation to isolate vulnerable systems
• Additional monitoring and alerting
• Firewall rules blocking the attack vector
• Disabling the vulnerable feature or service
• Virtual patching through WAF or IPS rules

Compensating controls are temporary measures. They reduce risk but do not eliminate the vulnerability.

Pattern Recognition

When you see vulnerability management questions, look for these patterns:

• Too many false positives = switch to credentialed scanning
• Need to prove exploitability = penetration test, not vulnerability scan
• CVSS score alone for prioritization = incomplete; consider environmental context
• Cannot patch immediately = implement compensating controls
• Compliance requirement for external view = external scan by third party
• Researcher finds a vulnerability = responsible disclosure to vendor first

Trap Patterns

Watch for these distractors:

• "Patch everything immediately" — Untested patches in production cause outages. Testing is required.
• "Run an external scan only" — Internal scans are equally important; attackers already inside see different things.
• "High CVSS score means patch first" — Context matters. A critical vulnerability on an air-gapped test system may be lower priority than a medium vulnerability on a public-facing payment server.
• "Vulnerability scan found it, so it must be real" — False positives exist. Verification (especially with credentialed scanning) is necessary.

Scenario Practice

Question 1

A vulnerability scan reports a critical vulnerability on a production database server, but the system owner claims the vulnerable component is not installed.

What should the security team do FIRST?

A. Immediately apply the patch recommended by the scanner
B. Validate the finding with a credentialed scan or manual verification
C. Mark the vulnerability as a false positive and close the ticket
D. Escalate to management for emergency patching authorization

Question 2

A critical vulnerability is identified on a production web server, but the vendor has not yet released a patch. The system cannot be taken offline.

What is the BEST course of action?

A. Accept the risk and wait for the vendor patch
B. Implement compensating controls such as WAF rules and network segmentation
C. Rebuild the server with a different operating system
D. Disable the web server until the patch is available

Question 3

An organization needs to determine whether its vulnerabilities can actually be exploited by an external attacker to access sensitive data.

What type of assessment is MOST appropriate?

A. Internal vulnerability scan
B. External vulnerability scan
C. Penetration test
D. Configuration audit

Key Takeaway

What the exam is really after:

Vulnerability management is a continuous cycle, not a one-time scan. The value is not in finding vulnerabilities — it is in systematically reducing them over time.

Before answering vulnerability management questions, ask:

• Is the scan credentialed or uncredentialed? (accuracy)
• Are we identifying or exploiting? (assessment vs. pen test)
• Can we patch now, or do we need compensating controls? (timing)
• Are we prioritizing by score alone, or by business context? (risk management)

The best vulnerability management program is the one that consistently closes the gap between discovery and remediation.