IT AI Skill
Vulnerability Management
Manage vulnerability assessment and remediation programs including scanning, prioritization, risk scoring, patch management, and compliance reporting. Use when running vulnerability scans, prioritizing remediation, managing patch cycles, or generating compl...
Vulnerability Management
Manage vulnerability assessment and remediation programs including scanning, prioritization, risk scoring, patch management, and compliance reporting.
Workflow
1. Vulnerability Scanning Program
VULNERABILITY SCANNING PROGRAM
═══════════════════════════════════════
Scan Types & Schedule:
═══════════════════════════════════════
Scan Type Schedule Scope Tool Auth
───────────────────────────────────────────────────────────────────────────────
External Weekly Internet-facing Nessus/Qualys Unauth
Internal Bi-weekly All internal IPs Nessus/Tenable Auth
Container Per build CI/ pipeline Trivy/Grype N/A
Compliance Monthly PCI/ HIPAA scope Nessus/Qualys Auth
Penetration Test Quarterly Full stack Pentester Auth
Web App Monthly Web apps Burp/AWS WAF Auth
DB Scanner Monthly Databases Nessus DB Auth
SCAN SCOPE:
═══════════════════════════════════════
External (Internet-Facing):
→ 45 public IPs
→ 12 load balancers
→ 3 web applications
→ 5 API endpoints
Internal:
→ 2,500 endpoints (workstations, servers)
→ 150 virtual machines
→ 80 cloud instances
→ 45 containers (production)
Authenticated Scans:
→ Windows: Domain admin account (read-only)
→ Linux: SSH key (sudo access)
→ Database: Service account (SELECT only)
→ Cloud: ReadOnly role (CloudTrail enabled)2. Vulnerability Prioritization
VULNERABILITY PRIORITIZATION FRAMEWORK
═══════════════════════════════════════
Risk Scoring Formula:
═══════════════════════════════════════
Risk = CVSS × Exploitability × Business Impact × Exposure
CVSS (Common Vulnerability Scoring System):
→ Base: Technical severity (0.0 - 10.0)
→ Temporal: Fix availability, exploit code maturity
→ Environmental: Impact on specific environment
Exploitability Factors:
→ Public exploit code available? (+2 levels)
→ Active exploitation in wild? (+3 levels)
→ Proof-of-concept exists? (+1 level)
→ Exploited in recent breaches? (+2 levels)
Business Impact:
→ Critical system (payment, auth, customer data)
→ High system (internal tools, analytics)
→ Medium system (dev, test, staging)
→ Low system (legacy, decommissioning)
Exposure:
→ Internet-facing (+2 levels)
→ DMZ / Perimeter (+1 level)
→ Internal network (base)
→ Isolated network (-1 level)
PRIORITY TIERS:
═══════════════════════════════════════
Tier SLA CVSS Exploitation System Example
───────────────────────────────────────────────────────────────────────
P1 24 hours ≥ 9.0 Active Critical Log4Shell, PrintNightmare
P2 7 days ≥ 7.0 Code available Critical RCE on internet-facing
P3 14 days ≥ 5.0 Any Critical SQL injection, XSS
P4 30 days ≥ 5.0 Any Medium Info disclosure
P5 90 days < 5.0 None Any Low-risk findings3. Patch Management
PATCH MANAGEMENT CYCLE
═══════════════════════════════════════
Windows Patch Cycle:
═══════════════════════════════════════
Week 1: Microsoft releases patches (Patch Tuesday)
Week 2: Test patches on lab systems
Week 3: Deploy to staging (10% of fleet)
Week 4: Deploy to production (remaining 90%)
Tools: WSUS / SCCM / Intune / Advanced Group Policy
Deployment rings:
→ Ring 0: Lab/VMs (immediate)
→ Ring 1: IT staff machines (Day 1)
→ Ring 2: Pilot group (Day 7)
→ Ring 3: Non-critical production (Day 14)
→ Ring 4: Critical production (Day 21)
Linux Patch Cycle:
═══════════════════════════════════════
Distribution Tool Schedule Reboot
────────────────────────────────────────────────────────────────────────
RHEL/CentOS yum/dnf + Katello Monthly (2nd Fri) Required for kernel
Ubuntu unattended-upgrades Weekly (auto) Required for kernel
Debian apt + Ansible Monthly Required for kernel
Amazon Linux yum + SSM Bi-weekly Required for kernel
Alpine apk Weekly Required for kernel
Security patches: Auto-apply (no reboot required where possible)
Kernel patches: Scheduled maintenance window
CLOUD PATCH MANAGEMENT:
═══════════════════════════════════════
→ AWS SSM Patch Manager (Windows + Linux)
→ Azure Update Manager (Windows + Linux)
→ GCP OS Config (Linux)
→ Container images: Rebuild on base image update
→ Serverless: Auto-updated by provider
→ AMI: Rebuild with Packer, replace instances
EMERGENCY PATCHING:
═══════════════════════════════════════
Trigger: Critical vulnerability (P1, active exploitation)
→ Skip staging testing
→ Deploy within 24 hours
→ Rollback plan ready
→ Communication to stakeholders4. Vulnerability Reporting
VULNERABILITY REPORT
═══════════════════════════════════════
Executive Summary (Monthly):
═══════════════════════════════════════
Total vulnerabilities: 1,247
Open (overdue): 89
Remediated this month: 456
Average time to remediate: 18 days
By Severity:
→ Critical (CVSS ≥ 9.0): 12 (SLA: 24 hours)
→ High (CVSS 7.0-8.9): 45 (SLA: 7 days)
→ Medium (CVSS 4.0-6.9): 234 (SLA: 14 days)
→ Low (CVSS < 4.0): 956 (SLA: 90 days)
By Status:
→ Open: 297 (24%)
→ In Progress: 156 (13%)
→ Remediated: 794 (63%)
→ Accepted Risk: 22 (2%)
Top 10 Most Prevalent CVEs:
════════════════════════════════════════
Rank CVE CVSS Affected Systems SLA Status
────────────────────────────────────────────────────────────────────
1 CVE-2024-001 9.8 45 servers 24h In Progress
2 CVE-2024-002 8.5 32 workstations 7 days Open
3 CVE-2024-003 7.8 28 VMs 7 days Remediated
4 CVE-2024-004 7.2 15 containers 14 days Open
5 CVE-2024-005 6.5 120 endpoints 30 days In Progress
COMPLIANCE REPORT:
═══════════════════════════════════════
Standard Requirement Status Gap
────────────────────────────────────────────────────────────────────
PCI-DSS Vuln scan quarterly ✓ Met —
PCI-DSS Remediate critical within 30d ✓ Met —
PCI-DSS Web app scan ✓ Met —
SOC 2 Patch management process ✓ Met —
HIPAA Vulnerability management ✓ Met —
ISO 27001 A.12.6.1 Malware protection ✓ Met —
NIST CSF PR.IP-12 Vulnerability Mgmt ✓ Met —5. Risk Acceptance & Exceptions
RISK ACCEPTANCE PROCESS
═══════════════════════════════════════
When to Accept Risk:
═══════════════════════════════════════
→ Patch unavailable
→ Patch causes incompatibility (tested)
→ Vulnerability not exploitable in environment
→ Remediation cost > risk (documented)
→ Legacy system (migration planned)
Approval Matrix:
═══════════════════════════════════════
CVSS Required Approver Duration Review
────────────────────────────────────────────────────────
≥ 9.0 CISO + CEO 30 days Monthly
7.0-8.9 CISO 90 days Quarterly
4.0-6.9 Security Manager 180 days Semi-annual
< 4.0 Security Engineer 1 year Annual
Risk Acceptance Form:
═══════════════════════════════════════
→ CVE ID and description
→ Affected systems (list)
→ CVSS score
→ Reason for acceptance
→ Compensating controls
→ Migration/remediation plan (timeline)
→ Approver signature
→ Review dateEdge Cases
- End-of-life systems: No patches available (isolate or replace)
- Custom software: No vendor patches (internal fix)
- Embedded/IoT: Cannot patch (network isolation)
- Zero-day: No fix available (virtual patching, WAF)
- False positives: Validation and exclusion process
Integration Points
- Scanners: Nessus, Qualys, Tenable, OpenVAS, Trivy
- SIEM: Splunk, Sentinel, QRadar
- CMDB: ServiceNow, Jira Service Management
- Ticketing: Jira, ServiceNow, Remedy
- Patch tools: WSUS, SCCM, SSM, Ansible
- Threat intel: MISP, VirusTotal, AlienVault OTX
Output
Vulnerability Management Status
VULNERABILITY MANAGEMENT — Q4 2024
═══════════════════════════════════════
Open vulnerabilities: 297 (↓ 45% from Q3)
Overdue (P1/P2): 8 (↓ from 23)
MTTR: 18 days (target: 14 days)
Scan coverage: 100% of in-scope assets
Compliance: All standards met
Risk acceptances: 22 (3 pending renewal)
Top action items:
→ Remediate 12 critical vulns (24h SLA)
→ Patch 45 high-risk endpoints
→ Renew 3 expiring risk acceptances