🛡️

Understanding Vulnerability Scanning and Management

May 26, 2025

Vulnerability Scanning and Management

Key Concepts

  • False Positives

    • Incorrect information about a vulnerability that doesn't exist.
    • Often found in reports or log files.
    • Low or informational vulnerabilities are sometimes mislabeled as false positives, but they are valid vulnerabilities.

  • False Negatives

    • A vulnerability exists but is not detected by the scanning software.
    • Can lead to vulnerabilities being exploitable without the knowledge of the organization.

Managing Vulnerability Scanning

  • Updating Signatures

    • Important to update scanning software's signatures to minimize false positives and prevent false negatives.

  • Categorization by Severity

    • Vulnerabilities are categorized into high, critical, low, or informational.
    • Critical vulnerabilities should be addressed first.

  • Public Vulnerability Lists

    • National Vulnerability Database (NVD) provides scoring via the Common Vulnerability Scoring System (CVSS).
    • CVSS scores range from 0 to 10, with 10 being most critical.
    • Priorities can be set using these lists.

Vulnerability Score and Identification

  • Cross-referencing Databases

    • Validate and identify vulnerabilities using databases like CVE, NVD, and specific manufacturer databases.
    • Some vulnerabilities may not have a CVE, requiring additional research.

  • Types of Scans

    • Application scans for desktop and mobile apps.
    • Web applications and network device scans.

Risk Management and Prioritization

  • Exposure Factor

    • Quantifies risk as a percentage.
    • Helps in understanding the risk involved with a vulnerability.

  • Environmental Consideration

    • Prioritization based on whether the environment is public cloud or a private test lab.

  • Risk Tolerance

    • Determines which patch to prioritize based on organizational risk acceptance.
    • Testing is crucial before deploying patches.

Case Studies

  • Tallahassee Memorial Healthcare (February 2023)

    • Impact of ransomware attack causing two-week closure.

  • Power Generators (March 2019)

    • Distributed Denial of Service (DDoS) attacks affecting power generators in Salt Lake City and LA County.

Considerations for Patching

  • Prioritization of Patches
    • Based on risk tolerance and the impact of the vulnerability.
    • Testing is required to ensure patches work in the environment.
    • Balancing between thorough testing and quick deployment to minimize risk.

Full transcript