We covered vulnerability management, vulnerability scanning, vulnerability management frameworks and the lifecycle of a vulnerability management program starting with discover, prioritize, assess, report and ending with remediate. We used OpenVas as an open source vulnerability scanner to demonstrate an example of scanning assets for vulnerabilities and reporting the findings along with classifying the vulnerabilities according to severity and CVSS score.

What is Vulnerability Management

Vulnerability management is an ongoing, structured process within cybersecurity programs aimed at identifying, assessing, prioritizing, and remediating security vulnerabilities across digital assets. It integrates with risk management and includes more than just automated scanning, it’s a strategic approach involving multiple departments.

Vulnerability management is an ongoing, structured process within cybersecurity programs aimed at identifying, assessing, prioritizing, and remediating security vulnerabilities across digital assets. It integrates with risk management and includes more than just automated scanning, it’s a strategic approach involving multiple departments.

Distinction Between Vulnerability Scanning and Management

While vulnerability scanning uses tools to detect weaknesses, vulnerability management encompasses an end-to-end process. It includes asset inventory, choosing the appropriate tools (like OpenVAS or commercial options), deciding which threats to fix or accept, and ensuring long-term mitigation planning.

Tools for Vulnerability Scanning

Commercial: Nessus, Nexpose

Open-Source: OpenVAS, OWASP ZAP
Although tools like Nmap are also viable, the tutorial centers around OpenVAS. Demonstrations highlight how to add targets, initiate scans, and analyze outcomes in this software.

CVE-Based Classification

Vulnerabilities are standardized using CVE (Common Vulnerabilities and Exposures) IDs. Each ID includes the year and a sequence number. CVEDetails website can be used to examine specific CVEs and shows how to extract key attributes such as access complexity and affected software versions.

Understanding and Using CVSS Scores

CVSS scores, such as 4.6 (medium) or 2.1 (low), quantify the severity and exploitability of each vulnerability. These scores help determine which issues to tackle first. High-severity vulnerabilities are prioritized for immediate remediation, while low-risk ones may be accepted with monitoring.

Implementing the NIST Cybersecurity Framework (CSF)

The NIST CSF is presented as a foundational guide for organizing vulnerability management workflows. It covers steps like Identify, Protect, Detect, Respond, and Recover, and serves as the reference point for designing enterprise-grade security strategies.

Vulnerability Management Lifecycle in Detail

Discover: Identify all assets in the network, from servers to IoT devices. Scan these for known vulnerabilities.

Prioritize: Rank discovered vulnerabilities based on CVSS scores and asset criticality.

Assess: Evaluate business impact and decide on remediation urgency.

Report: Compile findings in structured formats like PDFs for audits or team coordination.

Remediate: Apply security patches, workarounds, or compensating controls. This might include OS upgrades or disabling vulnerable services.

Vulnerability Scanning with OpenVAS

The video tutorial at the end walks through setting up a new scan:

  1. Define asset (host) and IP address
  2. Add targets via manual entry or file upload
  3. Configure scanning task and schedule
  4. Launch scan and review results in the reports tab
  5. Download report and interpret detailed breakdowns (e.g., severity, detection method, references)

In one scan example, OpenVAS found one high, one medium, and two low vulnerabilities on a host. Each vulnerability entry included:

  • Description and CVE ID
  • Severity score
  • Potential impact
  • Solution (patch, mitigation, workaround)
  • Detection method and affected products

TryHackMe Vulnerability Management Room Answers

The process encompassing vulnerability scanning and other factors, such as risk acceptance, is called?

Is the overall objective of vulnerability management to increase an organisation’s risk exposure? (yea/nay)

What is the CVSS for CVE-2013-1048?

What is the Access Complexity for CVE-2013-1048?

With the fictional CVE-2023-2022, what would the CVE ID assign year be?

We have already scanned an Ubuntu machine; therefore, answer the following questions based on the scan report of LinuxAppTask task.

After scanning, what is the total number of medium-level vulnerabilities?

What is the severity score for the vulnerability “ICMP Timestamp Reply Information Disclosure“?

What is the operating system and the version number of the target machine?

Download the LinuxAppTask report in PDF format. What is the severity rating of the vulnerability in the report, where the solution type is “Workaround“?

What is the solution type for the “TCP timestamps” vulnerability?

What is the CVE for “ICMP Timestamp Reply Information Disclosure“?

The process of listing vulnerabilities as per their order of priority is called?

Which phase entails updating and strengthening resilience plans and restoring any compromised capabilities or services caused by a cybersecurity event?

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles