Vulnerability Management and Scanning

Vulnerability Management and Scanning: CompTIA Security+ Guide

Understanding Vulnerability Management and Scanning

Why Vulnerability Management and Scanning Is Important

Vulnerability management and scanning form the backbone of any proactive security program. In today's threat landscape, organizations face thousands of potential security weaknesses across their infrastructure. Without systematic identification and remediation of these vulnerabilities, attackers can exploit them to gain unauthorized access, steal data, or disrupt operations.

Key reasons this is critical:

• Proactive Defense: Finding vulnerabilities before attackers do prevents breaches rather than responding to them
• Compliance Requirements: Many regulatory frameworks (PCI DSS, HIPAA, SOC 2) mandate regular vulnerability scanning
• Risk Quantification: Scanning provides data to prioritize security investments and resource allocation
• Patch Management Foundation: You cannot patch what you don't know exists
• Asset Discovery: Scanning reveals unknown systems on your network
• Incident Prevention: Reducing your attack surface minimizes breach likelihood

What Is Vulnerability Management?

Vulnerability management is a continuous, systematic process of identifying, evaluating, classifying, remediating, and reporting on security weaknesses in systems, applications, and networks.

It is not a one-time activity but rather a cyclical process that includes:

• Discovery: Finding vulnerabilities through scanning and assessment
• Analysis: Understanding the severity and business impact
• Prioritization: Ranking which vulnerabilities to fix first
• Remediation: Patching, configuring, or mitigating identified issues
• Verification: Confirming that fixes were successful
• Reporting: Documenting findings for stakeholders

What Is Vulnerability Scanning?

Vulnerability scanning is the automated technical process of probing systems, networks, and applications to identify known security weaknesses.

Scanning is a component of the larger vulnerability management program. It provides the raw data that feeds the management process.

How Vulnerability Scanning Works

Scanning Process Overview:

1. Scope Definition: Determine what systems, networks, or applications to scan (IP ranges, domains, specific hosts)
2. Tool Configuration: Select appropriate scanners and configure scan parameters (intensity, plugins, credentials)
3. Scan Execution: The scanner sends probes to target systems looking for known vulnerabilities
4. Response Analysis: Systems respond with information about open ports, services, and versions
5. Signature Matching: Scanner compares responses against vulnerability databases
6. Results Generation: Produces a report of discovered vulnerabilities with severity ratings

Types of Vulnerability Scans

Credentialed Scans (Authenticated):

• Performed with valid user credentials
• Provides deeper, more accurate results
• Can assess patch levels, configurations, and installed software
• Less likely to trigger security alerts
• Recommended for internal network scanning

Non-Credentialed Scans (Unauthenticated):

• Performed without login credentials
• Only sees what an external attacker would see
• Useful for testing external network perimeter
• May trigger intrusion detection alerts
• Cannot assess internal system configurations

Web Application Scanning:

• Specialized tools for finding web vulnerabilities (SQL injection, XSS, CSRF)
• Can perform dynamic analysis of running applications
• Examples: OWASP ZAP, Burp Suite

Network Vulnerability Scanning:

• Scans network infrastructure (routers, firewalls, switches)
• Identifies open ports and exposed services
• Examples: Nessus, Qualys, OpenVAS

Common Vulnerability Scanning Tools

Nessus: Industry-leading vulnerability scanner with extensive vulnerability database and reporting capabilities

Qualys: Cloud-based scanning platform with continuous monitoring features

OpenVAS: Open-source vulnerability scanner

Rapid7 Nexpose: Focuses on asset-based vulnerability management

Microsoft Baseline Security Analyzer (MBSA): Scans Windows systems for missing patches and security misconfigurations

OWASP ZAP: Web application security scanning tool

Vulnerability Severity and CVSS Scoring

Common Vulnerability Scoring System (CVSS): A standardized framework for assessing vulnerability severity

• Critical (9.0-10.0): Immediately addressable, requires urgent patching
• High (7.0-8.9): Significant risk, should be patched soon
• Medium (4.0-6.9): Moderate risk, patch in normal maintenance window
• Low (0.1-3.9): Minimal risk, address during regular updates

Key Vulnerability Management Concepts

False Positives: Scan results indicating a vulnerability that doesn't actually exist. Requires manual verification.

False Negatives: Real vulnerabilities that the scanner missed. Why scanning needs to be comprehensive and repeated.

Scan Frequency: How often to scan depends on risk tolerance and environment change rate. Internal systems might be scanned monthly or quarterly; external-facing systems more frequently (weekly or continuous).

Remediation Prioritization: Focus on:

• Critical and high-severity vulnerabilities first
• Vulnerabilities on systems handling sensitive data
• Vulnerabilities in internet-facing systems
• Known, actively exploited vulnerabilities
• Vulnerabilities with readily available exploits

Baseline Scanning: Initial comprehensive scan to establish current state, then incremental scans to identify new vulnerabilities.

Integration with Patch Management

Vulnerability scanning identifies what needs to be patched, but patch management is the process of actually applying fixes. The cycle works like this:

1. Scan identifies vulnerabilities
2. Patches are released by vendors
3. Patches are tested in non-production environments
4. Patches are deployed according to prioritization
5. Follow-up scanning verifies patches were successful

Limitations of Vulnerability Scanning

• Only finds known vulnerabilities: Zero-day exploits won't be detected
• Can generate false positives: Requires manual verification
• Resource intensive: Comprehensive scans can impact network performance
• Requires expertise: Interpreting results and prioritizing remediation needs experienced personnel
• Cannot detect logical vulnerabilities: Business logic flaws may not show up in scans
• Must be kept current: Scanning databases need regular updates to detect new vulnerabilities

Best Practices for Vulnerability Management and Scanning

• Establish a documented vulnerability management policy: Define scope, frequency, remediation timelines
• Maintain an asset inventory: Know what systems need to be scanned
• Use both credentialed and non-credentialed scans: Get complete picture of your security posture
• Scan regularly: At minimum quarterly, but continuous scanning preferred
• Verify results: Manually confirm critical findings before declaring them valid
• Prioritize remediation: Use CVSS scores and business context to determine urgency
• Track metrics: Monitor vulnerability trends over time
• Automate where possible: Use continuous monitoring tools for real-time visibility
• Perform remediation validation scans: Rescan after patches to confirm success
• Involve stakeholders: Keep management informed of vulnerability status and risks

Answering Exam Questions on Vulnerability Management and Scanning

Exam Tips: Answering Questions on Vulnerability Management and Scanning

Tip 1: Understand the Distinction Between Scanning and Management

Exam questions often test whether you know that scanning is just one part of vulnerability management. If a question asks about finding and fixing vulnerabilities systematically, it's asking about vulnerability management. If it specifically asks about automated probing for weaknesses, it's asking about scanning.

Example question type: "Which of the following is a continuous process that includes discovery, analysis, prioritization, remediation, and reporting?" Answer: Vulnerability management.

Tip 2: Know When to Use Credentialed vs. Non-Credentialed Scans

Pay attention to the context in the question:

• If the scenario describes testing external security or mimicking an attacker → non-credentialed scan
• If the scenario describes internal network assessment or getting comprehensive results → credentialed scan
• If the question asks what provides deeper, more accurate results → credentialed scan

Example: "A security team wants to assess what vulnerabilities an external attacker might find on their web server. Which type of scan should they perform?" Answer: Non-credentialed scan.

Tip 3: Recognize Common Scanning Tools and Their Purposes

The exam may mention specific tools. Know their general categories:

• Nessus, Qualys, OpenVAS: General network vulnerability scanners
• OWASP ZAP, Burp Suite: Web application specific
• MBSA: Windows patch and configuration focused

For exam purposes, if a question asks about a scanner for "network vulnerabilities," most answers like Nessus are correct. If it's specifically about web applications, it's likely OWASP ZAP or Burp Suite.

Tip 4: Prioritize Based on CVSS Scores and Business Context

Many questions test your understanding of remediation prioritization. Remember:

• Highest CVSS scores (9.0-10.0) get addressed first unless there's a business reason not to
• Systems with sensitive data get prioritized even if CVSS is slightly lower
• Internet-facing systems take priority over internal systems
• Known exploited vulnerabilities get priority over theoretical ones

Example question type: "Your scan found a critical vulnerability in an internal file server and a high-severity vulnerability in your e-commerce website. Which should you patch first?" Answer: The web server, because it's internet-facing and poses greater business risk.

Tip 5: Understand the Vulnerability Management Lifecycle

Questions often present a scenario and ask what step comes next:

1. Discovery → Analysis (What is the vulnerability?)
2. Analysis → Prioritization (How bad is it?)
3. Prioritization → Remediation (How do we fix it?)
4. Remediation → Verification (Did the fix work?)
5. Verification → Reporting (What did we accomplish?)

If a question states "The security team has identified 50 vulnerabilities through scanning," the next logical step is analysis and prioritization, not immediate remediation.

Tip 6: Know the Limitations and Cannot-Do Items

Exam questions test whether you understand what scanning cannot do:

• Scanning cannot detect zero-day vulnerabilities (previously unknown flaws)
• Scanning cannot detect business logic flaws (requires manual code review)
• Scanning results can include false positives (require verification)
• Scanning requires manual review and prioritization (cannot automate decision-making)

Example: "A new zero-day vulnerability is discovered in a widely-used library. Why wouldn't a vulnerability scan detect this?" Answer: Because zero-day vulnerabilities are not yet in the scanner's vulnerability database.

Tip 7: Distinguish Between Vulnerability Scanning and Other Security Activities

Exam questions may try to confuse different security practices:

• Vulnerability scanning ≠ Penetration testing (scanning is automated, pentest is manual and attempts exploitation)
• Vulnerability scanning ≠ Threat modeling (scanning finds vulnerabilities, threat modeling identifies attack vectors)
• Vulnerability management ≠ Incident response (management is prevention-focused, incident response is reaction)
• Vulnerability scanning ≠ Configuration management (scanning finds security issues, config management ensures standards)

Tip 8: Recognize Scan Frequency Questions

Questions about how often to scan typically follow this pattern:

• Critical systems (internet-facing, sensitive data): Continuously or weekly
• Important systems: Monthly
• Less critical systems: Quarterly
• After significant changes: Immediately

Example: "Your organization made significant updates to network infrastructure. When should vulnerability scanning be performed?" Answer: Immediately after the changes are implemented.

Tip 9: Understand Risk-Based Decision Making

Security+ expects you to think about vulnerability management in a risk context:

Risk = Likelihood × Impact

A vulnerability might have a lower CVSS score but higher business impact if it affects:

• Systems storing personally identifiable information (PII)
• Payment processing systems (PCI compliance)
• Healthcare systems (HIPAA compliance)
• Public-facing applications

Questions may present scenarios where you need to justify why a lower-scored vulnerability should be remediated before a higher-scored one based on business context.

Tip 10: Know the Difference Between Scan Types by Purpose

Be ready to match the right scan type to the scenario:

• Baseline scan: Initial comprehensive assessment
• Incremental scan: Periodic checks for new vulnerabilities
• Credentialed scan: Deep assessment with system access
• Non-credentialed scan: External perspective testing
• Authenticated scan: Same as credentialed
• Unauthenticated scan: Same as non-credentialed

Tip 11: Be Prepared for Integration Questions

Vulnerability scanning doesn't exist in isolation. Be ready for questions about how it integrates with:

• Patch Management: Scanning identifies what needs patching
• Change Management: System changes are followed by scans
• Asset Management: Inventory feeds scanning scope
• Risk Management: Scanning provides input for risk assessments
• Compliance: Scanning demonstrates regulatory compliance

Tip 12: Watch for Trick Questions About Completeness

The exam may ask whether vulnerability scanning alone is sufficient for security:

Answer: No, vulnerability scanning is necessary but not sufficient.

Additional security measures needed:

• Penetration testing (active exploitation attempts)
• Code review (identifies logic flaws)
• Security awareness training (addresses human factors)
• Incident response plans (handle actual breaches)
• Configuration management (prevents misconfigurations)

Common Exam Question Patterns

Pattern 1: "What should be done NEXT?"

These questions test understanding of the vulnerability management lifecycle. Look for the logical next step in the process.

Pattern 2: "Which tool is BEST for...?"

Match the tool to the specific need (network scanning, web apps, Windows systems, etc.).

Pattern 3: "Which vulnerability should be remediated FIRST?"

Consider CVSS score, system criticality, data sensitivity, and exploitability.

Pattern 4: "Why would scanning FAIL to detect...?"

Think about limitations: zero-day vulnerabilities, false negatives, outdated databases, false positives.

Pattern 5: "What CANNOT be done by scanning alone?"

Identifying zero-days, detecting business logic flaws, making remediation decisions, testing with exploitation.

Quick Reference for Exam Day

Credentialed Scans → Internal, deeper results, validated findings

Non-Credentialed Scans → External, realistic attacker view, trigger alerts

Critical/High CVSS → Patch immediately unless business constraints

Internet-Facing Systems → Scan frequently, remediate quickly

Zero-Day Vulnerabilities → Scanning cannot detect (by definition not yet known)

False Positives → Common, require verification before remediation

Scanning Frequency → Risk-based: critical weekly/continuous, standard monthly, less critical quarterly

Management ≠ Scanning → Scanning feeds into the larger management process

CVSS Scores → 9-10 Critical, 7-8.9 High, 4-6.9 Medium, 0.1-3.9 Low

Final Exam Preparation Tips

• Focus on concepts, not just tools: The exam tests understanding of vulnerability management principles, not memorization of specific tool interfaces
• Think about business context: Security+ questions often include business decision-making aspects
• Understand the "why" not just the "what": Know why vulnerability management matters, not just how to do it
• Remember: Scanning is a means, not an end: The goal is to reduce risk, not to run scans
• Practice with scenarios: Look for practice questions that present a situation and ask what should be done
• Study the CVSS framework: Understanding severity scoring is critical for many questions
• Know compliance requirements: Be aware that scanning is often mandated by regulations like PCI DSS, HIPAA, etc.